Skip to content

Automatic SSL Certs with Certbot and Cloudflare

To set up Certbot/Let's Encrypt to use the Cloudflare API for certificate renewal, you'll need to follow these steps:

Setup Certbot

Install Certbot: If you haven't already installed Certbot, you can do so by following the instructions on the Certbot website or using your package manager.

Install Cloudflare plugin for Certbot: There is a Certbot plugin specifically designed for Cloudflare DNS authentication. You can install it using pip:

pip install certbot-dns-cloudflare

Cloudflare API Token

Get Cloudflare API Token: You need to generate an API token in your Cloudflare account with the necessary permissions.

  • Log in to your Cloudflare account.
  • Go to "My Profile" → "API Tokens".
  • Click on "Create Token".
  • Under "Permissions", select "Zone" and ensure it has permissions to edit DNS records.
  • Copy the generated API token.

Setup Certbot

Set up Certbot: Now, you can use Certbot with the Cloudflare plugin to obtain and renew certificates.

certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d example.com

Replace example.com with your domain. This command will prompt you to enter your Cloudflare API credentials. Instead of doing this interactively, you can use a configuration file.

Create Cloudflare Credentials File

Create Cloudflare Credentials File: Create a file to store your Cloudflare API credentials. For example, you can create cloudflare.ini in ~/.secrets/certbot/:

mkdir -p ~/.secrets/certbot/
touch ~/.secrets/certbot/cloudflare.ini

Edit cloudflare.ini and add your Cloudflare API credentials:

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = your_cloudflare_api_key

Replace [email protected] with your Cloudflare account email and your_cloudflare_api_key with the API key you generated.

Set appropriate permissions: Make sure only the root user can read the Cloudflare credentials file to keep it secure:

chmod 600 ~/.secrets/certbot/cloudflare.ini

Automate Renewal: You can set up a cron job to automatically renew your certificates before they expire. For example:

0 0 * * * /usr/bin/certbot renew --quiet

This will attempt to renew your certificates every day at midnight. Certbot will automatically renew only if the certificate is due for renewal.

That's it! You've now set up Certbot to use the Cloudflare API for certificate renewal. Make sure to test the renewal process to ensure everything works smoothly.

Haproxy Automatic Renewal

If you use Haproxy, you can setup a script to automatically renew your certs, put them into the correct format, then restart Haproxy automatically.

#!/bin/bash
/usr/bin/certbot renew --quiet
rm /etc/haproxy/cert.pem
cat /etc/letsencrypt/live/example.com/fullchain.pem >> /etc/haproxy/cert.pem
cat /etc/letsencrypt/live/example.com/privkey.pem >> /etc/haproxy/cert.pem
systemctl restart haproxy

You can then put this script in a cron job to automatically renew your certificate and put it live