ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu)

    IT Discussion
    nginx lets encrypt cloudflare certbot dns ubuntu 18.04
    6
    6
    20.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dbeatoD
      dbeato
      last edited by dbeato

      This guide assumes you have an Nginx SSL Proxy as the tutorial of @JaredBusch below:
      https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

      Now that you have his configuration see below

      First you need to add the certbot repository

      sudo add-apt-repository ppa:certbot/certbot
      

      Then you install the software-properties-common package

      sudo apt install software-properties-common
      

      Update the repositories

      sudo apt  update
      

      Install the Certbot for Nginx

      sudo apt-get install python-certbot-nginx
      

      Install the Python-Pip package

      sudo apt install python-pip
      

      Install the Pip Module for Certbot-dns-cloudflare

      sudo pip install certbot-dns-cloudflare
      

      Get your CloudFlare API key
      https://support.cloudflare.com/hc/en-us/articles/200167836-Where-do-I-find-my-Cloudflare-API-key-

      Then setup a secret file with your key on whichever path you want, I chose the /root/.secrets folder,

      sudo mkdir /root/.secrets
      sudo chmod 0700 /root/.secrets/
      sudo touch /root/.secrets/cloudflare.cfg
      sudo chmod 0400 /root/.secrets/cloudflare.cfg
      

      Edit the /root/.secrets/cloudflare.cfg by using nano

      sudo nano /root/.secrets/cloudflare.cfg
      

      Edit the file and enter your CloudFlare Email and your API key as below

      dns_cloudflare_email = "[email protected]"
      dns_cloudflare_api_key = "2018c330b45f4ghytr420eaf66b49c5cabie4"
      

      Request a single, SAN or wildcard SSL Certificate from Cloudflare as below

      sudo /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d domain.com,*.domain.com --preferred-challenges dns-01
      

      Results should be as below
      0_1541775960747_b02fb456-dde8-4e54-b398-5b553b701edc-image.png

      Then I added a cronjob as below

      14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
      

      Then I added manually the configuration for SSL on the Nginx Configuration File

      sudo nano /etc/nginx/conf.d/domain.conf
      

      Added this section

      listen 443 ssl; # managed by Certbot
          ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
          ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
          include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
          ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
      
      

      Check your configuration

      sudo nginx -t
      

      Reload Nginx

      sudo nginx -s reload
      
      1 Reply Last reply Reply Quote 4
      • black3dynamiteB
        black3dynamite
        last edited by

        Nice!

        1 Reply Last reply Reply Quote 0
        • A
          Alex Sage
          last edited by Alex Sage

          Nice Guide!

          I did this all and automated it for LXQ

          1 Reply Last reply Reply Quote 1
          • A
            aboka
            last edited by

            hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

            JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @aboka
              last edited by

              @aboka today, you should use DNS based auth if you can. CloudFlare DNS supports that.

              1 Reply Last reply Reply Quote 3
              • scottalanmillerS
                scottalanmiller @aboka
                last edited by

                @aboka said in Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu):

                hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

                There are certbot options to use the running server (Nginx in this case.) But I agree with Jared, better to use DNS.

                1 Reply Last reply Reply Quote 0
                • 1 / 1
                • First post
                  Last post