Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu)

dbeato

This guide assumes you have an Nginx SSL Proxy as the tutorial of @JaredBusch below:
https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

Now that you have his configuration see below

First you need to add the certbot repository

sudo add-apt-repository ppa:certbot/certbot

Then you install the software-properties-common package

sudo apt install software-properties-common

Update the repositories

sudo apt  update

Install the Certbot for Nginx

sudo apt-get install python-certbot-nginx

Install the Python-Pip package

sudo apt install python-pip

Install the Pip Module for Certbot-dns-cloudflare

sudo pip install certbot-dns-cloudflare

Get your CloudFlare API key
https://support.cloudflare.com/hc/en-us/articles/200167836-Where-do-I-find-my-Cloudflare-API-key-

Then setup a secret file with your key on whichever path you want, I chose the /root/.secrets folder,

sudo mkdir /root/.secrets
sudo chmod 0700 /root/.secrets/
sudo touch /root/.secrets/cloudflare.cfg
sudo chmod 0400 /root/.secrets/cloudflare.cfg

Edit the /root/.secrets/cloudflare.cfg by using nano

sudo nano /root/.secrets/cloudflare.cfg

Edit the file and enter your CloudFlare Email and your API key as below

dns_cloudflare_email = "[email protected]"
dns_cloudflare_api_key = "2018c330b45f4ghytr420eaf66b49c5cabie4"

Request a single, SAN or wildcard SSL Certificate from Cloudflare as below

sudo /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d domain.com,*.domain.com --preferred-challenges dns-01

Results should be as below

Then I added a cronjob as below

14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1

Then I added manually the configuration for SSL on the Nginx Configuration File

sudo nano /etc/nginx/conf.d/domain.conf

Added this section

listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Check your configuration

sudo nginx -t

Reload Nginx

sudo nginx -s reload

black3dynamite

Nice!

Alex Sage

Nice Guide!

I did this all and automated it for LXQ

aboka

hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

JaredBusch

@aboka today, you should use DNS based auth if you can. CloudFlare DNS supports that.

scottalanmiller

@aboka said in Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu):

hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

There are certbot options to use the running server (Nginx in this case.) But I agree with Jared, better to use DNS.