If you’re using Cloudflare DNS, and proxying your HTTPS traffic through Cloudflare anyway, I recommend using their certs.

But, what if you are just using Cloudflare DNS and don’t want to proxy? Then this guide is for you.

Step 1: Get the API token from Cloudflare

First, we’ll need an API token from Cloudflare. Go to the user menu on the top right and choose “My Profile”, on the left you should see “API tokens”, go there.

Use the big blue button “Create Token”, then look through the templates for “Edit zone DNS”, click the big blue button next to it which reads “Use template”.

Now, you should see a title “Create Token”, right underneath you will see a name, click it to change it to “Certbot hostname.example.com”, where you replace the hostname with your own. This way you will know what this token will be used for, and on what machine. Trust me, this will make it easier to manage your tokens later as you add more machines and might want to delete old tokens.

Leave “permissions” as is, but right underneath you’ll find “Zone resources” and “Include” and “Specific Zone”, in the field right of that you’ll enter example.com (or whatever your zone is). If you’re running multiple websites on that machine which you want to use with Certbot, you can add more zones with “Add more”, and repeat the process for each zone.

Note that you DO NOT have to add the subdomain into that field, really just the zone (main domain). Certbot will be able to generate certificates for subdomains either way.

Step 2: Store the API token safely

After following the first step, you should now have an API token. We will need this, so make sure to copy it somewhere safe, like an open Notepad which you won’t save. This is not a joke.


Step 3: Install Certbot and the Plugin

If you’re using Debian or Ubuntu and haven’t installed these already, do so now:

apt update && apt install -y certbot python3-certbot-dns-cloudflare

As you can see, we really need python3-certbot-dns-cloudflare for this to work.

Step 4: Store the Cloudflarfe API token for Certbot

As root user (sudo -i) run these:

mkdir -p /etc/cloudflare
chmod 700 /etc/cloudflare
touch /etc/cloudflare/example.com.ini
chmod 600 /etc/cloudflare/example.com.ini
nano /etc/cloudflare/example.com.ini

Into that ini you will write:

dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

Of course, replacing it with your own token.

Hit ^s and ^x (ctrl+s to save and ctrl+x to exit), you can now delete the token you temporarily stored in your Notepad.

Step 5: Issue the Certbot certificate

Here’s an example which will give you a wildcard certificate for example.com (of course replace with your own domain):

certbot certonly --register-unsafely-without-email --dns-cloudflare --dns-cloudflare-credentials /etc/cloudflare/example.com.ini -d example.com -d '*.example.com' --dns-cloudflare-propagation-seconds 60 --deploy-hook '/usr/bin/systemctl reload nginx'

Note: In the above example, the deploy-hook reloads Nginx after every certificate issue, replace this with whatever service you want to reload/restart, or even replace it with a script you want to run.

Step 6: Donate a cup of coffee

I run this blog in my spare time. If I helped you, I’d love another cup of coffee! *starts shaking*