Automatic SSL Certs with Certbot and Cloudflare
To set up Certbot/Let's Encrypt to use the Cloudflare API for certificate renewal, you'll need to follow these steps:
Setup Certbot
Install Certbot: If you haven't already installed Certbot, you can do so by following the instructions on the Certbot website or using your package manager.
Install Cloudflare plugin for Certbot: There is a Certbot plugin specifically designed for Cloudflare DNS authentication. You can install it using pip:
pip install certbot-dns-cloudflare
Cloudflare API Token
Get Cloudflare API Token: You need to generate an API token in your Cloudflare account with the necessary permissions.
- Log in to your Cloudflare account.
- Go to "My Profile" → "API Tokens".
- Click on "Create Token".
- Under "Permissions", select "Zone" and ensure it has permissions to edit DNS records.
- Copy the generated API token.
Setup Certbot
Set up Certbot: Now, you can use Certbot with the Cloudflare plugin to obtain and renew certificates.
certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d example.com
Replace example.com
with your domain. This command will prompt you to enter your Cloudflare API credentials. Instead of doing this interactively, you can use a configuration file.
Create Cloudflare Credentials File
Create Cloudflare Credentials File: Create a file to store your Cloudflare API credentials. For example, you can create cloudflare.ini
in ~/.secrets/certbot/
:
mkdir -p ~/.secrets/certbot/
touch ~/.secrets/certbot/cloudflare.ini
Edit cloudflare.ini
and add your Cloudflare API credentials:
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your_cloudflare_api_key
Replace [email protected]
with your Cloudflare account email and your_cloudflare_api_key
with the API key you generated.
Set appropriate permissions: Make sure only the root user can read the Cloudflare credentials file to keep it secure:
chmod 600 ~/.secrets/certbot/cloudflare.ini
Automate Renewal: You can set up a cron job to automatically renew your certificates before they expire. For example:
0 0 * * * /usr/bin/certbot renew --quiet
This will attempt to renew your certificates every day at midnight. Certbot will automatically renew only if the certificate is due for renewal.
That's it! You've now set up Certbot to use the Cloudflare API for certificate renewal. Make sure to test the renewal process to ensure everything works smoothly.
Haproxy Automatic Renewal
If you use Haproxy, you can setup a script to automatically renew your certs, put them into the correct format, then restart Haproxy automatically.
#!/bin/bash
/usr/bin/certbot renew --quiet
rm /etc/haproxy/cert.pem
cat /etc/letsencrypt/live/example.com/fullchain.pem >> /etc/haproxy/cert.pem
cat /etc/letsencrypt/live/example.com/privkey.pem >> /etc/haproxy/cert.pem
systemctl restart haproxy
You can then put this script in a cron job to automatically renew your certificate and put it live