May 10, 2018

Using Let's Encrypt with Cloudflare DNS challenges

How to setup automatic SSL using Cloudflare DNS challenge

Install Certbot

sudo apt update && \
sudo apt install software-properties-common && \
sudo add-apt-repository ppa:certbot/certbot && \
sudo apt update && \
sudo apt install -y certbot

Install pip for python3 and plugin for Cloudflare

sudo apt install python3-pip -y && \
# upgrade pip, -H sets current user home as path
sudo -H pip3 install --upgrade pip && \
# install cerbot cloudflare plugin
sudo -H pip3 install certbot-dns-cloudflare

Create a file to store your cloudflare credentials

sudo nano /etc/letsencrypt/cloudflare.ini

Put the following into the ini file

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = youremail
dns_cloudflare_api_key = yoursecretAPIkey

Exit and then restrict other users from viewing the file:
sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Generate the certificates

sudo certbot certonly -m youremail --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d yourdomain -d www.yourdomain

Let's Encrypt will tell you where the certificates are stored so they can be easily used with your web server.
Usually the following paths:
Cert: /etc/letsencrypt/live/yourdomain/fullchain.pem
Private key: /etc/letsencrypt/live/yourdomain/privkey.pem

Next steps

Adding the modern SSL configuration to nginx