Setup Certbot with Auto Renewal for Cloudflare

  1. Navigate to Cloudflare -> My Profile -> API Tokens -> Create Token You only need to select the following permissions
Loading image from the Permaweb via Wayfinder...
  1. On your server, install certbot and DNS plugin for Cloudflare
apt update
apt install certbot -y
  1. Install DNS plugin for Cloudflare
apt install python3-certbot-dns-cloudflare -y
  1. Create ini file with api key and secret
nano /etc/letsencrypt/cloudflare.ini
  1. Add api key and secret created in step 1
dns_cloudflare_api_token = <api key>
  1. Save the file and update permissions
chmod 600 /etc/letsencrypt/cloudflare.ini
  1. Generate certificate using certbot with DNS plugin for Cloudflare
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d <domain.com> -d <\*.domain.com>

Results:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain.com>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<domain.com>/privkey.pem
  1. Validate certificate and dns update with dry run (this will not create a new certificate or update dns)
certbot renew --dry-run

Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<domain.com>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for <domain.com> and <*.domain.com>
Waiting 10 seconds for DNS changes to propagate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/<domain.com>/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  1. Reload nginx to apply new certificate (optional)
systemctl reload nginx
  1. Validate certbot timer
systemctl list-timers | grep certbot

Results:

Tue 2024-11-05 02:22:10 UTC      3h 21min Mon 2024-11-04 17:16:51 UTC  5h 43min ago certbot.timer                  certbot.service