PIXILAB Wiki

Cloudflare DNS-01 challenge

Brief notes on how to setup a lets encrypt cert bot using Cloudflare as dns provider.

Configure DNS at domain registrar

  • At the domain name registrar, configure the domain to use Cloudflare's nameservers.
    • Example: at GoDaddy registrar this setting is called use custom name servers.

Create an API Token

  • Login to https://dash.cloudflare.com/
    • Register an account unless you already have one.
    • Keep any credentials in a safe place.
  • Click on My Profile → API Tokens.
  • Select Create Token.
    • Use the Edit zone DNS template or create a custom token.
    • Give the token a descriptive name, so you can identify and revoke it if necessary.
    • Select the desired expiration.
      • Suggestion: use No expiration to avoid maintenance overhead.
    • Under Permissions, allow Zone → DNS → Edit.
    • Under Zone Resources, select the specific zone (domain) or all zones.
  • Click Continue to Summary → Create Token.
  • Copy the token string and keep it in a very safe place.
    • You will not be able to view it again.
    • If this token becomes public, someone could modify your DNS records.

Setup the certbot

Install certbot

  • Make sure your server has internet access (required for DNS-01 challenge).
  • Ensure the snap version of certbot is installed and configured:
    sudo snap install --classic certbot
    sudo snap set certbot trust-plugin-with-root=ok

Install Cloudflare Plugin

  • Install the Cloudflare plugin:
    sudo snap install certbot-dns-cloudflare

Create credentials file

  • Create the file:
    sudo nano /etc/letsencrypt/cloudflare.ini
  • Paste this line (replace with your API token):
    dns_cloudflare_api_token = PASTE_TOKEN_HERE
  • In nano: use Ctrl+O to write, then Ctrl+X to exit.

Secure credentials file

  • Change ownership of the file:
    sudo chown root:root /etc/letsencrypt/cloudflare.ini
  • Restrict permissions:
    sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Activate certbot

Request certificate

  • Replace example.com and int.example.com (add/remove domains as needed).
    • Wildcards are supported, e.g. *.example.com.
    • Use the domain owner's email.
    sudo certbot certonly --dns-cloudflare \
      --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
      -d example.com -d int.example.com \
      --agree-tos --email you@example.com --non-interactive

Test renewal

  • Test renewal with a dry run:
    sudo certbot renew --dry-run

Avoid renewing certificates without the dry run flag as Let's encrypt has a cap of renewals/day.

Reload nginx

  • If successful, check nginx config and reload:
    sudo nginx -t && sudo systemctl reload nginx