Setup Certbot with Auto Renewal for Cloudflare

  1. Navigate to Cloudflare -> My Profile -> API Tokens -> Create Token You only need to select the following permissions
Diagram
  1. On your server, install certbot and DNS plugin for Cloudflare
apt update
apt install certbot -y
  1. Install DNS plugin for Cloudflare
apt install python3-certbot-dns-cloudflare -y
  1. Create ini file with api key and secret
nano /etc/letsencrypt/cloudflare.ini
  1. Add api key and secret created in step 1
dns_cloudflare_api_token = <api key>
  1. Save the file and update permissions
chmod 600 /etc/letsencrypt/cloudflare.ini
  1. Generate certificate using certbot with DNS plugin for Cloudflare
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d <domain.com> -d <\*.domain.com>

Results:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain.com>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<domain.com>/privkey.pem
  1. Validate certificate and dns update with dry run (this will not create a new certificate or update dns)
certbot renew --dry-run

Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<domain.com>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for <domain.com> and <*.domain.com>
Waiting 10 seconds for DNS changes to propagate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/<domain.com>/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1. Reload nginx to apply new certificate (optional)
systemctl reload nginx
  1. Validate certbot timer
systemctl list-timers | grep certbot

Results:

Tue 2024-11-05 02:22:10 UTC      3h 21min Mon 2024-11-04 17:16:51 UTC  5h 43min ago certbot.timer                  certbot.service

Was this page helpful?