If you’re using CloudFlare to host your DNS, there is a plugin for the official Let’s Encrypt client Certbot you can use to easily acquire and renew wildcard certificates from Let’s Encrypt.
CloudFlare API credentials
Since we’re going to use CloudFlare’s DNS to verify our domain for Let’s Encrypt, we (or rather Certbot) will need to use CloudFlare’s API to create some verification DNS records on the fly.
To get your API key, login to your CloudFlare dashboard, go to your profile and at the bottom, click “View” next to “Global API key”.
Now, when you get the key and you see the warning “Protect this key like a password!” this is an understatement. If you follow best practices, you have secured your CloudFlare account with two factor verification. Now, this API key is even more powerful than a password, as anyone using it doesn’t have to use two factor authentication. The email address associated with the account and this API key is all that is needed. Protect this key even better than your passwords!
Now store your credentials on your server, in a file that is readable by root only. I always store them in a file with a name that is logic to me, that these are secret credentials for CloudFlare, accessible by root only, namely:
The directory should only be accessible by root:
$ sudo chmod 0700 /root/.secrets/
And the file too:
$ sudo chmod 0400 /root/.secrets/cloudflare.ini
The content will look somewhat like this. Replace the email address with your account email address, and the API key with the one you viewed in the CloudFlare admin panel earlier.
dns_cloudflare_email = "[email protected]"
dns_cloudflare_api_key = "4003c330b45f4fbcab420eaf66b49c5cbcab4"
Install Certbot and the CloudFlare DNS authenticator plugin
Both Certbot itself and its plugins are written in Python and can be installed with PIP. If you don’t have PIP installed, and are using Ubuntu, you can install it with:
$ sudo apt install python-pip
If you are running a different Linux distribution, I’m sure there are similar ways to easily install PIP.
Now, you can just use PIP to install the CloudFlare DNS authenticator plugin for Certbot. Certbot itself will naturally be a dependency of the plugin, so you’ll get Certbot installed too:
$ sudo pip install certbot-dns-cloudflare
Now you should have Certbot installed in
/usr/local/bin/certbot, and have the CloudFlare DNS Authenticator plugin installed and activated along with it. Smooth, huh?
Run Certbot with the CloudFlare Authenticator
Now, getting a new wildcard is as simple as running:
$ sudo /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
This should fetch a new wildcard certificate for you for *.example.com and store it in
Now, if you run
/usr/local/bin/certbot renew, your certificate should be renewed if it is time to do so. This will be done using the secret credentials you saved, so no interaction is needed. If you like, you can create a crontab entry like this:
14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
Now your wildcard certificate will renew fully automatically without any interaction needed on your side.