Table of Contents
Ubuntu Certbot With Cloudflare DNS Challenge And Nginx
Tested on Ubuntu 20.04
Prerequisites
A Cloudlfare API key with “Zone:DNS:Edit” permission for the zone you need a certificate for, see this article for more elaborate reading.
WARNING: This can really get messy if you don't know what you are doing.
Install Certbot
sudo snap install core; sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
Install Cloudflare Plugin
sudo snap set certbot trust-plugin-with-root=ok sudo snap install certbot-dns-cloudflare
Create directory for the cloudflare API token.
sudo mkdir -p /etc/letsencrypt
Next create the file containing the API code.
sudo tee /etc/letsencrypt/dnscloudflare.ini > /dev/null <<EOT # Cloudflare API token used by Certbot dns_cloudflare_api_token = AN_API_TOKEN_HERE EOT
Set the right permissions.
sudo chmod 0600 /etc/letsencrypt/dnscloudflare.ini
Create The Certificate
sudo certbot certonly -d example.com -d www.example.com -d sub1.example.com -d sub2.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --post-hook "service nginx reload" --non-interactive --agree-tos --email [email protected] --dns-cloudflare-propagation-seconds 30
NOTE: You can also create a wildcard if you prefer replacing:
sudo certbot certonly -d example.com -d www.example.com etc.
With
sudo certbot certonly -d *.example.com
Testing
sudo certbot renew --dry-run
Show Cerbot Timer
You can see when certbot is schedueled to run next time by running the following command.
systemctl list-timers
Adding A Subdomain Or Domain
Adding a subdomain we will need to expand the current certificate with the subdomain. This means include all the certificates already issued and then expand the cert with the new subdomain. In this example we are adding sub1.example.com the trick is to run the same command as we have done before but adding “--expand” to the line.
The example assumes we allready have certificates for example.com and www.example.com
sudo certbot certonly --expand -d existing.com.com -d www.existing.com -d sub1.example.com --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
Removing A Subdomain Or Domain
In order to modify your certificate we need to figure out the name of the certificate you are using. We can do it like this.
sudo certbot certificates
You will get an output similar to the one below.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number: 4fac2132bca56b1ce808116378450ed5197
Key Type: RSA
Domains: example.com sub1.example.com sub2.example.com sub3.example.com
Expiry Date: 2022-05-05 08:24:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In order to like say remove sub3.example.com run the following.
certbot --cert-name CertificateName -d example.com -d sub1.example.com -d sub2.example.com
The above will reissue the certificate for example.com leaving out sub3.example.com