Brief notes on how to setup a lets encrypt cert bot using Cloudflare as dns provider.

• At the domain name registrar, configure the domain to use Cloudflare's nameservers.
  • Example: at GoDaddy registrar this setting is called use custom name servers.

• Login to https://dash.cloudflare.com/
  • Register an account unless you already have one.
  • Keep any credentials in a safe place.
• Click on My Profile → API Tokens.
• Select Create Token.
  • Use the Edit zone DNS template or create a custom token.
  • Give the token a descriptive name, so you can identify and revoke it if necessary.
  • Select the desired expiration.
    • Suggestion: use No expiration to avoid maintenance overhead.
  • Under Permissions, allow Zone → DNS → Edit.
  • Under Zone Resources, select the specific zone (domain) or all zones.
• Click Continue to Summary → Create Token.
• Copy the token string and keep it in a very safe place.
  • You will not be able to view it again.
  • If this token becomes public, someone could modify your DNS records.

• Make sure your server has internet access (required for DNS-01 challenge).
• Ensure the snap version of certbot is installed and configured:

    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok

• Install the Cloudflare plugin:

    sudo snap install certbot-dns-cloudflare

• Create the file:

    sudo nano /etc/letsencrypt/cloudflare.ini

• Paste this line (replace with your API token):

    dns_cloudflare_api_token = PASTE_TOKEN_HERE

• In nano: use Ctrl+O to write, then Ctrl+X to exit.

• Change ownership of the file:

    sudo chown root:root /etc/letsencrypt/cloudflare.ini

• Restrict permissions:

    sudo chmod 600 /etc/letsencrypt/cloudflare.ini

• Replace example.com and int.example.com (add/remove domains as needed).
  • Wildcards are supported, e.g. *.example.com.
  • Use the domain owner's email.

    sudo certbot certonly --dns-cloudflare \
      --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive

• Test renewal with a dry run:

    sudo certbot renew --dry-run

Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.

• If successful, check nginx config and reload:

    sudo nginx -t && sudo systemctl reload nginx