Let's Encrypt - Cloudflare

Let's Encrypt, Cloudflare, SSL, HTTPS

Let’s Encrypt and certbot are wonderful and make it easy, and cheap, to get SSL certificates setup. But sometimes your application or site isn’t really set up in one of the common patterns. One set up that I use a lot is to have the application running on my server, but have the Cloudflare CDN setup in front of the application. The default [NGINX method][nginx-certbot] won’t work in that case.

The DNS methods of verification didn’t use to be very prominent on Certbot’s site, so it took me a while to figure out that you can very easily do the verification all with DNS. There is one big downside with the method that I am going to show you: you need to have your Cloudflare API key sitting in plain text on your server’s hard drive. In my case it is under the root account, but still. It is less than ideal.

To start off with create a /root/.secrets directory and then create the file /root/.secrets/cloudflare.ini. You’ll also want to make sure only the root user can access the file.

mkdir -p /root/.secrets
touch /root/.secrets/cloudflare.ini
chmod 600 /root/.secrets/cloudflare.ini

Now open the file in a text editor and add the following, replacing my example details with your real ones. Your API key is under your profile and I’m using my Global API Key.

dns_cloudflare_email = "cloudflare-user@example.com"
dns_cloudflare_api_key = "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"

Next, you just have to run your certbot command. I have the locations of my certificate files configured for my web server so when I need to add a new domain or subdomain I can just use the command below, replacing example.com with whatever the domain is.

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com

If you are using NGINX and want your site setup automatically you might use the following command:

certbot certonly -i nginx --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com

That’s really all it takes, you just have to tweak the commands you normally use a little bit.