Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu)



  • This guide assumes you have an Nginx SSL Proxy as the tutorial of @JaredBusch below:
    https://mangolassi.it/topic/16651/install-nginx-as-a-reverse-proxy-on-fedora-27

    Now that you have his configuration see below

    First you need to add the certbot repository

    sudo add-apt-repository ppa:certbot/certbot
    

    Then you install the software-properties-common package

    sudo apt install software-properties-common
    

    Update the repositories

    sudo apt  update
    

    Install the Certbot for Nginx

    sudo apt-get install python-certbot-nginx
    

    Install the Python-Pip package

    sudo apt install python-pip
    

    Install the Pip Module for Certbot-dns-cloudflare

    sudo pip install certbot-dns-cloudflare
    

    Get your CloudFlare API key
    https://support.cloudflare.com/hc/en-us/articles/200167836-Where-do-I-find-my-Cloudflare-API-key-

    Then setup a secret file with your key on whichever path you want, I chose the /root/.secrets folder,

    sudo mkdir /root/.secrets
    sudo chmod 0700 /root/.secrets/
    sudo touch /root/.secrets/cloudflare.cfg
    sudo chmod 0400 /root/.secrets/cloudflare.cfg
    

    Edit the /root/.secrets/cloudflare.cfg by using nano

    sudo nano /root/.secrets/cloudflare.cfg
    

    Edit the file and enter your CloudFlare Email and your API key as below

    dns_cloudflare_email = "[email protected]"
    dns_cloudflare_api_key = "2018c330b45f4ghytr420eaf66b49c5cabie4"
    

    Request a single, SAN or wildcard SSL Certificate from Cloudflare as below

    sudo /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d domain.com,*.domain.com --preferred-challenges dns-01
    

    Results should be as below
    0_1541775960747_b02fb456-dde8-4e54-b398-5b553b701edc-image.png

    Then I added a cronjob as below

    14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
    

    Then I added manually the configuration for SSL on the Nginx Configuration File

    sudo nano /etc/nginx/conf.d/domain.conf
    

    Added this section

    listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    

    Check your configuration

    sudo nginx -t
    

    Reload Nginx

    sudo nginx -s reload
    


  • Nice!



  • Nice Guide!

    I did this all and automated it for LXQ



  • hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.



  • @aboka today, you should use DNS based auth if you can. CloudFlare DNS supports that.



  • @aboka said in Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu):

    hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

    There are certbot options to use the running server (Nginx in this case.) But I agree with Jared, better to use DNS.