Tested on Ubuntu 16.04 and 18.04
LetsEncrypt certbot.eff.org
/etc/ssl/certs/dhparam.pem
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
make-ssl-cert generate-default-snakeoil --force-overwrite
certbot certonly \
--preferred-challenges dns-01 \
--dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini \
-d 'example.com,*.example.com'
# Renewal
certbot renew \
--dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare.ini \
--pre-hook "systemctl stop nginx" \
--post-hook "systemctl start nginx"
# REMINDER: --dry-run
/root/.cloudflare.ini
dns_cloudflare_email = "me@example.com"
dns_cloudflare_api_key = "abcdefghijklmnopqrstuvwxyz0"