Certbot with Cloudflare DNS
In this small sub-guide, we will get a certificate from Let's Encrypt, and we will use CloudFlare's API to add/remove DNS records to validate our ownership of the domain.
- Navigate to https://dash.cloudflare.com/profile/api-tokens
- Next to "Global API Key", click "View".
- Copy the token that's shown. We will need this token in the next step.
Certbot is a service that runs on your server that automatically takes care of requesting certificates (and keeping them refreshed) for your domains.
sudo apt install certbot python3-certbot-dns-cloudflare
Create a file to hold your secret API key like this:
sudo mkdir -p /etc/letsencrypt/secrets
sudo cp /opt/pajbot/install-docs/certbot-with-cloudflare/cloudflare.ini /etc/letsencrypt/secrets/cloudflare.ini
sudo chown root:root /etc/letsencrypt/secrets/cloudflare.ini
sudo chmod 600 /etc/letsencrypt/secrets/cloudflare.ini
Then insert your API details:
sudo nano /etc/letsencrypt/secrets/cloudflare.ini
Put your CloudFlare account email next to dns_cloudflare_email
, and the API key from the previous step next to dns_cloudflare_api_key
.
Repeat -d "domain-name.com"
as many times as needed to add domain names and wildcards to your certificate.
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/secrets/cloudflare.ini -d "your-domain.com" -d "*.your-domain.com" --post-hook "systemctl reload nginx"
You should see output similar to this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for example.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your-domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your-domain.com/privkey.pem
Your cert will expire on 2020-02-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Notice the highlighted part: This is important for setting up your nginx configuration: The first path is what goes with ssl_certificate
, the second path goes with ssl_certificate_key
.
You can now edit the nginx configuration file and point it to the correct certificate path:
sudo nano /etc/nginx/sites-available/streamer_name.your-domain.com.conf
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
Note! If you have requested a wildcard certificate (as we have done here in the example), you can re-use the same certificate for multiple bots. E.g. if you have bots running under the two subdomains
streamer_a.your-domain.com
andstreamer_b.your-domain.com
, and you have a wildcard certificate for*.your-domain.com
, then both these site configurations can share the same certificate (/etc/letsencrypt/live/your-domain.com/fullchain.pem
for example).