arrow_upward

Pages (2):
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fully automated Let's Encrypt certificate renewal with CloudFlare
#1
Fully automated Let's Encrypt certificate renewal with CloudFlare


Hello Post4VPS Community!

The subject of todays guide is to provide you all necessary information in order to setup fully automated Let's Encrypt (wildcard) certificate renewals with the help of CloudFlare as your DNS provider. In this guide we will not be using any CDN or other features provided by CloudFlare - only their anycast DNS service. CloudFlare is officially supported by Let's Encrypt for automated renewals through their new ACMEv2 API (domain verification by DNS and wildcard certificates).

The sample setup used during the creation of this guide is a server that is running Debian "Buster" 10, Nginx 1.17.8 (dockerized) acting as a web server and a recent copy of Let's Encrypt Certbot. A big thanks to NanoKVM @Neoon for providing the server free of charge to make this possible. Checkout NanoKVM and this thread for more information.

I'm using one of my eu.org domains and my own CloudFlare account. In order to make this guide independent from OS, web server and other things I will not cover topics such as a) how to install any OS, b) how to install any web server and c) how to install Cerbot or alike. Therefore I will be using Certbot with parameters to request only certificates and omit automatic setup of web servers supported by Certbot. Certificate setup on the web server is again a point that strongly depends on the web server used.

Furthermore I will not cover how to setup your domain with your Cloudflare account. This is easy and CloudFlare provides clear instructions that are easy to follow. Just as a note: when you create the DNS records for your domain simply don't tunnel them through CloudFlare (the little cloud icon should be grey) to use only their DNS service and omit any other feature such as their own SSL service or others. Basically said this guide requires prior knowledge with web servers, DNS and the ability to look up how to install a Let's Encrypt client like Certbot.




Prerequisites
  • a server with a server Linux OS of your choice (Debian, Ubuntu, CentOS, etc.)
  • a web server of your choice to use with the SSL certificate (Nginx, Apache, etc.)
  • a copy of a Certbot client should be installed on your server (certbot, certbot-auto, etc.)
  • a free CloudFlare account to use their DNS service with your domain
  • a domain that is already pointed to your CloudFlare with DNS records already setup

In addition to the above prerequisites you need, as I already said before, intermediate knowledge with topics such as a) how to install a web server and set it up, b) how to install a Let's Encrypt client on your server, c) basic Linux knowledge that you should already have if you did the previously mentioned things and d) simply said also knowledge of how to setup DNS for your domain. This guide is not spoon-feeding!




Get your CloudFlare API key

To be able to actually perform automated Let's Encrypt certificate renewals you need your CloudFlare API token that has access to your DNS zones and can manage them. Through this API key the Let's Encrypt client can perfrom all necessary steps to perform the DNS verification for your domain, issue the certificate AND later on perform renewals that also generally require a re-verification of domain ownership through DNS.

  1. Open your browser and go to the CloudFlare homepage.
  2. Sign in with your CloudFlare account to proceed.
  3. Click on the profile icon at the top and select "My Profile" in the dropdown menu.
  4. On the page that is now open go to "API Tokens" option at the top.
  5. Down in the area "API Keys" click on the blue "View" button for the "Global API Key".
  6. Enter your CloudFlare account password and you will get your API key.
  7. Save this API key and always remember to keep it safe!

You have to keep the API key very safe as it allows basically full access to all features and functions of your CloudFlare account! You could create a dedicated API Token with access only to DNS zones but this is a very different matter and requires full knowledge of the available options when creating such dedicated tokens which is at the moment out of my scope and knowledge. If some permission is missing for the API token it is possible that the setup and renewal will simply fail as the Let's Encrypt client won't be able to perform its tasks.


Create a credential file for your API key

To make it easier to use the CloudFlare API key on your server you can create a simple credential file that contains all necessary information for the Let's Encrypt client or other software to use the CloudFlare API through your account and for you domains.

If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!

  1. Connect to your server and login as root or a user that has sudo rights.
  2. Create a directory called ".secrets" (you can actually call it how you want) with mkdir like:
    mkdir ~/.secrets
  3. Create a empty file called cloudflare.ini inside the .secrets folder like:
    touch ~/.secrets/cloudflare.ini
  4. Open the cloudflare.ini with a text editor like nano:
    nano ~/.secrets/cloudflare.ini
  5. Paste the following into the file and fill in your CloudFlare e-mail address and the API key.
    dns_cloudflare_email = "emailaddress"
    dns_cloudflare_api_key = "apikey"
  6. Save the file and close the text editor.
  7. To improve the security of the credential file setup the follow permissions for the folder and the file like:
    chmod 0700 ~/.secrets/
    chmod 0400 ~/.secrets/cloudflare.ini

That's it! Now you have a file that contains your CloudFlare API credentials to use them with the Let's Encrypt client or other software if necessary. We will actually use this in the next part of the guide where we will request the SSL certificate for our domain.


Request a Let's Encrypt (wildcard) certificate with the CloudFlare plugin

At this point it is time to finally request the SSL certificate from Let's Encrypt for your domain using the official automated DNS verification method that supports CloudFlare DNS through the API.

If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!

  1. Install the certbot CloudFlare plugin:
    apt-get install python3-certbot-dns-cloudflare
  2. Run the following command to request a wildcard certificate for your domain:
    certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
    Remember to replace the domain with your actual domain that is hosted with CloudFlare DNS service.
  3. Fill in your e-mail address.
  4. Agree to all terms of services and similar agreements displayed to you.
  5. Wait for the client to perform the certificate request and DNS verification.
  6. Bingo! You have your certificate.

You can see if auto renewal will with the dry-run option of certbot:
certbot renew --dry-run

The simulated certificate renewal should be running successfully.

You should create a cronjob that will run the renewal command and restart your web server after the certificate has been renewed.

Something like:
1 5 * * * /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
This runs the renewal command every night at 01:05 and also restarts your web server afterwards. Again adjust the commands to your system and web server!




Now you have a free wildcard SSL certificate for your domain provided by Let's Encrypt and you have setup automated renewals based on CloudFlare DNS and the CloudFlare plugin for cerbot that performs automatic DNS domain verification. This way you never have to worry about expiring SSL certificates for your websites.

Again a huge thanks to @Neoon and his awesome NanoKVM service!

Thank you for reading my guide and I hope that it helps you with your journey on the web and as a VPS owner/webmaster.
[Image: zHHqO5Q.png]
#2
Great tutorial but would it show Let's Encrypt as my website SSL or it'll show Cloudflare's SSL?
#3
@AmirGT

If you follow this guide you are only using the free DNS service of CloudFlare and no other feature provided by CloudFlare (I mentioned this part multiple times in the OP post). Therefore the SSL/TLS certificate shown for your domain is Let's Encrypt. Rather said for this guide to actually work you have to use the DNS feature only and nothing else.

If you use any other CloudFlare feature you automatically use their CDN which automatically would force their SSL certificate onto your domains. And that is a huge security risk due to the "man in the middle".

That said you obviously have to do the DNS setup part on CloudFlare yourself and not use any other CloudFlare feature while doing that part.
[Image: zHHqO5Q.png]
#4
Sorry about the late reply, I didn't see this thread at all.

Very nice and detailed tutorial, unfortunately I did all of this before you posted this, I had to setup SSL on my VPS 9 with CloudFlare DNS. You literally anticipated me again, because I listed this tutorial on my "setting up from scratch" series but due to exams and other personal staff all got delayed.

Can I link this tutorial on the guide?
Thanks to Post4VPS and Bladenodefor VPS 14
#5
@LightDestory

Feel free to link to this guide in your threads if you wish.

Be aware though that this guide is not entirely newbie friendly. It doesn't cover how to setup DNS with Cloudflare, how to install a web server and also not how to install Cerbot and such things. This is really only about using Certbot with the CloudFlare plugin and CloudFlare DNS service with API access to request certificates. Moreover this doesn't even cover how to install/use the requested cerificate with a web server.

I don't/didn't have time to make a guide that would include some steps or all of the steps I left out.
[Image: zHHqO5Q.png]
#6
Wow, thats a great tutorial hidden!
But i have a question.
If i installed it on a vps that already have ogp, will that affect on ogp? I mean like themes because some themes support http only
#7
@youssefbasha

Well, how can I answer this question with such little information and no experience with OGP???

I would say that it would cause no real problem or no problem that you can't easily solve. Sites using HTTPS can still load HTTP resources unless this was forbidden by web server configurations. On the other hand you can easily edit the theme files and change all HTTP to HTTPS links for resources. Easy enough to do this.

However if you can manage to do that... not for me to decide.


Imho:
It would be actually a good design step on theme developent to actually never use a protocol when loading resources (like //www.url.to/aresource.ext). This way the themes will automatically load the resources over the protocol that the site uses. So if your site uses HTTPS the resources will load over HTTPS, too. That said to have this working all resources need to be available over HTTPS. Nowadays if you are still using pure HTTP you are doing it wrong . No excuse to no use HTTPS nowadays with free wildcard TLS certificates and other resources being free to use/available for free.
[Image: zHHqO5Q.png]
#8
if im not wrong cloudflare certificate is actually have really long expiration date unlike lets encrypt 3 month

for lets encrypt itself without the cloudflare part you can use certbot and it is compatible with apache and nginx . the problem is that it doesnt support free cloudflare . you need to pay for using ucstom certificate . so just use cloudflare certificate
Terminal
humanpuff69@FPAX:~$ Thanks To Shadow Hosting And Post4VPS for VPS 5
#9
(02-16-2020, 02:04 AM)humanpuff69 Wrote: if im not wrong cloudflare certificate is actually have really long expiration date unlike lets encrypt 3 month

for lets encrypt itself without the cloudflare part you can use certbot and it is compatible with apache and nginx . the problem is that it doesnt support free cloudflare . you need to pay for using ucstom certificate . so just use cloudflare certificate

You can use Buypass SSL, it's valid for 6 months, or TrustAsia, it's valid for one year but both are only DV, they don't support multi-domains or wildcard unlike Let's Encrypt.
Get Buypass SSL from HERE / Get TrustAsia SSL from HERE
#10
@humanpuff69 @AmirGT

Quote:In this guide we will not be using any CDN or other features provided by CloudFlare - only their anycast DNS service.

Quote:Just as a note: when you create the DNS records for your domain simply don't tunnel them through CloudFlare (the little cloud icon should be grey) to use only their DNS service and omit any other feature such as their own SSL service or others.

When you use CloudFlare DNS only you don't get any CloudFlare SSL because your websites aren't tunneled through the CloudFlare CDN network. You are only using their DNS hosting and nothing else if you want to follow this guide and have LE SSL/TLS.

How everyone seems to ignore this although it is mentioned in the thread. Did I explain it wrong? Not enough detail? What would help to make it more understandable?
[Image: zHHqO5Q.png]
Pages (2):


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post
5,625
06-09-2018, 07:18 PM
Last Post: Kururin

person_pin_circle Users browsing this thread: 3 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting