Tested on Ubuntu 20.04
A Cloudlfare API key with “Zone:DNS:Edit” permission for the zone you need a certificate for, see this article for more elaborate reading.
WARNING: This can really get messy if you don't know what you are doing.
sudo snap install core; sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok sudo snap install certbot-dns-cloudflare
Create directory for the cloudflare API token.
sudo mkdir -p /etc/letsencrypt
Next create the file containing the API code.
sudo tee /etc/letsencrypt/dnscloudflare.ini > /dev/null <<EOT # Cloudflare API token used by Certbot dns_cloudflare_api_token = AN_API_TOKEN_HERE EOT
Set the right permissions.
sudo chmod 0600 /etc/letsencrypt/dnscloudflare.ini
sudo certbot certonly -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email [email protected] --dns-cloudflare-propagation-seconds 30
NOTE: You can also create a wildcard if you prefer replacing:
sudo certbot certonly -d example.com -d www.example.com etc.
With
sudo certbot certonly -d *.example.com
sudo certbot renew --dry-run
You can see when certbot is schedueled to run next time by running the following command.
systemctl list-timers
Adding a subdomain we will need to expand the current certificate with the subdomain. This means include all the certificates already issued and then expand the cert with the new subdomain. In this example we are adding sub1.example.com the trick is to run the same command as we have done before but adding “--expand” to the line.
The example assumes we allready have certificates for example.com and www.example.com
sudo certbot certonly --expand -d existing.com.com -d www.existing.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
In order to modify your certificate we need to figure out the name of the certificate you are using. We can do it like this.
sudo certbot certificates
You will get an output similar to the one below.
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: example.com Serial Number: 4fac2132bca56b1ce808116378450ed5197 Key Type: RSA Domains: example.com sub1.example.com sub2.example.com sub3.example.com Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In order to like say remove sub3.example.com run the following.
certbot --cert-name CertificateName -d example.com -d sub1.example.com -d sub2.example.com
The above will reissue the certificate for example.com leaving out sub3.example.com