Table of Contents

Ubuntu Certbot With Cloudflare DNS Challenge And Nginx

Tested on Ubuntu 20.04

Prerequisites

A Cloudlfare API key with “Zone:DNS:Edit” permission for the zone you need a certificate for, see this article for more elaborate reading.

WARNING: This can really get messy if you don't know what you are doing.

Install Certbot

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install Cloudflare Plugin

sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

Create directory for the cloudflare API token.

sudo mkdir -p /etc/letsencrypt

Next create the file containing the API code.

sudo tee /etc/letsencrypt/dnscloudflare.ini > /dev/null <<EOT
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = AN_API_TOKEN_HERE
EOT

Set the right permissions.

sudo chmod 0600 /etc/letsencrypt/dnscloudflare.ini

Create The Certificate

sudo certbot certonly -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email [email protected] --dns-cloudflare-propagation-seconds 30

NOTE: You can also create a wildcard if you prefer replacing:

sudo certbot certonly -d example.com -d www.example.com etc.

With

sudo certbot certonly -d *.example.com

Testing

sudo certbot renew --dry-run

Show Cerbot Timer

You can see when certbot is schedueled to run next time by running the following command.

systemctl list-timers

Adding A Subdomain Or Domain

Adding a subdomain we will need to expand the current certificate with the subdomain. This means include all the certificates already issued and then expand the cert with the new subdomain. In this example we are adding sub1.example.com the trick is to run the same command as we have done before but adding “--expand” to the line.

The example assumes we allready have certificates for example.com and www.example.com

sudo certbot certonly --expand -d existing.com.com -d www.existing.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini

Removing A Subdomain Or Domain

In order to modify your certificate we need to figure out the name of the certificate you are using. We can do it like this.

sudo certbot certificates

You will get an output similar to the one below.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: example.com
    Serial Number: 4fac2132bca56b1ce808116378450ed5197
    Key Type: RSA
    Domains: example.com sub1.example.com sub2.example.com sub3.example.com
    Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In order to like say remove sub3.example.com run the following.

certbot --cert-name CertificateName -d example.com -d sub1.example.com -d sub2.example.com

The above will reissue the certificate for example.com leaving out sub3.example.com