===== Cloudflare DNS-01 challenge=====

Brief notes on how to setup a lets encrypt cert bot using Cloudflare as dns provider.

=== Configure DNS at domain registrar ===
  * At the domain name registrar, configure the domain to use Cloudflare's nameservers.  
    * Example: at GoDaddy registrar this setting is called **use custom name servers**.

==== Create an API Token ====
  * Login to https://dash.cloudflare.com/  
    * Register an account unless you already have one.  
    * Keep any credentials in a safe place.
  * Click on **My Profile → API Tokens**.
  * Select **Create Token**.
    * Use the **Edit zone DNS** template or create a custom token.
    * Give the token a descriptive name, so you can identify and revoke it if necessary.
    * Select the desired expiration.  
      * Suggestion: use **No expiration** to avoid maintenance overhead.
    * Under **Permissions**, allow **Zone → DNS → Edit**.
    * Under **Zone Resources**, select the specific zone (domain) or all zones.
  * Click **Continue to Summary → Create Token**.
  * Copy the token string and keep it in a very safe place.  
    * You will not be able to view it again.  
    * If this token becomes public, someone could modify your DNS records.

===== Setup the certbot =====

==== Install certbot ====
  * Make sure your server has internet access (required for DNS-01 challenge).
  * Ensure the snap version of certbot is installed and configured:

<code>
    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok
</code>

==== Install Cloudflare Plugin ====
  * Install the Cloudflare plugin:

<code>
    sudo snap install certbot-dns-cloudflare
</code>

====Create credentials file ===
  * Create the file:

<code>
    sudo nano /etc/letsencrypt/cloudflare.ini
</code>

  * Paste this line (replace with your API token):

<code>
    dns_cloudflare_api_token = PASTE_TOKEN_HERE
</code>

  * In nano: use **Ctrl+O** to write, then **Ctrl+X** to exit.

=== Secure credentials file ===
  * Change ownership of the file:

<code>
    sudo chown root:root /etc/letsencrypt/cloudflare.ini
</code>

  * Restrict permissions:

<code>
    sudo chmod 600 /etc/letsencrypt/cloudflare.ini
</code>

==== Activate certbot ====

=== Request certificate ===
  * Replace //example.com// and //int.example.com// (add/remove domains as needed).  
    * Wildcards are supported, e.g. *.example.com. 
    * Use the domain owner's email.

<code>
    sudo certbot certonly --dns-cloudflare \
      --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive
</code>

=== Test renewal ===
  * Test renewal with a dry run:

<code>
    sudo certbot renew --dry-run
</code>
Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.

=== Reload nginx ===
  * If successful, check nginx config and reload:

<code>
    sudo nginx -t && sudo systemctl reload nginx
</code>