Let's Encrypt provide us free SSL wildcard certificates, these certificates need a DNS challenge in order to be able to verify we own the domain.
Each certificate renewal needs a new DNS challenge; due to this, we need to update our DNS every 3 months.
Because Cloudflare manages our DNS, Let's Encrypt cannot update the DNS entries by itself, so the certificate auto-renew functionality is not available.
To solve this, we can provide Let’s Encrypt certbot an API token to enable the DNS updates.
First, we need to get the latest version of Let's Encrypt certbot.
snap install core; snap refresh core
apt-get remove certbot
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
We need to install the Let's Encrypt Cloudflare plugin.
snap set certbot trust-plugin-with-root=ok
snap install certbot-dns-cloudflare
The Let's Encrypt certbot needs a Cloudflare API token. In order to generate an API token, we need to access our Cloudflare account, our token only needs the "Zone: DNS: Edit" permission. (https://dash.cloudflare.com/profile/api-tokens)
Next, we need to create a "cloudflare.ini" file.
vi ~/cloudflare.ini
And we add the generated token like the following line.
dns_cloudflare_api_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Finally, we save the file and change the permissions.
chmod 600 cloudflare.ini
Once the API token is configured, we need to generate a new certificate using the following command.
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/cloudflare.ini \
-d sertxudeveloper.com \
-d *.sertxudeveloper.com