02-01-2020, 07:40 PM
Fully automated Let's Encrypt certificate renewal with CloudFlare
Hello Post4VPS Community!
The subject of todays guide is to provide you all necessary information in order to setup fully automated Let's Encrypt (wildcard) certificate renewals with the help of CloudFlare as your DNS provider. In this guide we will not be using any CDN or other features provided by CloudFlare - only their anycast DNS service. CloudFlare is officially supported by Let's Encrypt for automated renewals through their new ACMEv2 API (domain verification by DNS and wildcard certificates).
The sample setup used during the creation of this guide is a server that is running Debian "Buster" 10, Nginx 1.17.8 (dockerized) acting as a web server and a recent copy of Let's Encrypt Certbot. A big thanks to NanoKVM @Neoon for providing the server free of charge to make this possible. Checkout NanoKVM and this thread for more information.
I'm using one of my eu.org domains and my own CloudFlare account. In order to make this guide independent from OS, web server and other things I will not cover topics such as a) how to install any OS, b) how to install any web server and c) how to install Cerbot or alike. Therefore I will be using Certbot with parameters to request only certificates and omit automatic setup of web servers supported by Certbot. Certificate setup on the web server is again a point that strongly depends on the web server used.
Furthermore I will not cover how to setup your domain with your Cloudflare account. This is easy and CloudFlare provides clear instructions that are easy to follow. Just as a note: when you create the DNS records for your domain simply don't tunnel them through CloudFlare (the little cloud icon should be grey) to use only their DNS service and omit any other feature such as their own SSL service or others. Basically said this guide requires prior knowledge with web servers, DNS and the ability to look up how to install a Let's Encrypt client like Certbot.
The subject of todays guide is to provide you all necessary information in order to setup fully automated Let's Encrypt (wildcard) certificate renewals with the help of CloudFlare as your DNS provider. In this guide we will not be using any CDN or other features provided by CloudFlare - only their anycast DNS service. CloudFlare is officially supported by Let's Encrypt for automated renewals through their new ACMEv2 API (domain verification by DNS and wildcard certificates).
The sample setup used during the creation of this guide is a server that is running Debian "Buster" 10, Nginx 1.17.8 (dockerized) acting as a web server and a recent copy of Let's Encrypt Certbot. A big thanks to NanoKVM @Neoon for providing the server free of charge to make this possible. Checkout NanoKVM and this thread for more information.
I'm using one of my eu.org domains and my own CloudFlare account. In order to make this guide independent from OS, web server and other things I will not cover topics such as a) how to install any OS, b) how to install any web server and c) how to install Cerbot or alike. Therefore I will be using Certbot with parameters to request only certificates and omit automatic setup of web servers supported by Certbot. Certificate setup on the web server is again a point that strongly depends on the web server used.
Furthermore I will not cover how to setup your domain with your Cloudflare account. This is easy and CloudFlare provides clear instructions that are easy to follow. Just as a note: when you create the DNS records for your domain simply don't tunnel them through CloudFlare (the little cloud icon should be grey) to use only their DNS service and omit any other feature such as their own SSL service or others. Basically said this guide requires prior knowledge with web servers, DNS and the ability to look up how to install a Let's Encrypt client like Certbot.
Prerequisites
In addition to the above prerequisites you need, as I already said before, intermediate knowledge with topics such as a) how to install a web server and set it up, b) how to install a Let's Encrypt client on your server, c) basic Linux knowledge that you should already have if you did the previously mentioned things and d) simply said also knowledge of how to setup DNS for your domain. This guide is not spoon-feeding!
- a server with a server Linux OS of your choice (Debian, Ubuntu, CentOS, etc.)
- a web server of your choice to use with the SSL certificate (Nginx, Apache, etc.)
- a copy of a Certbot client should be installed on your server (certbot, certbot-auto, etc.)
- a free CloudFlare account to use their DNS service with your domain
- a domain that is already pointed to your CloudFlare with DNS records already setup
In addition to the above prerequisites you need, as I already said before, intermediate knowledge with topics such as a) how to install a web server and set it up, b) how to install a Let's Encrypt client on your server, c) basic Linux knowledge that you should already have if you did the previously mentioned things and d) simply said also knowledge of how to setup DNS for your domain. This guide is not spoon-feeding!
Get your CloudFlare API key
To be able to actually perform automated Let's Encrypt certificate renewals you need your CloudFlare API token that has access to your DNS zones and can manage them. Through this API key the Let's Encrypt client can perfrom all necessary steps to perform the DNS verification for your domain, issue the certificate AND later on perform renewals that also generally require a re-verification of domain ownership through DNS.
You have to keep the API key very safe as it allows basically full access to all features and functions of your CloudFlare account! You could create a dedicated API Token with access only to DNS zones but this is a very different matter and requires full knowledge of the available options when creating such dedicated tokens which is at the moment out of my scope and knowledge. If some permission is missing for the API token it is possible that the setup and renewal will simply fail as the Let's Encrypt client won't be able to perform its tasks.
Create a credential file for your API key
To make it easier to use the CloudFlare API key on your server you can create a simple credential file that contains all necessary information for the Let's Encrypt client or other software to use the CloudFlare API through your account and for you domains.
If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!
That's it! Now you have a file that contains your CloudFlare API credentials to use them with the Let's Encrypt client or other software if necessary. We will actually use this in the next part of the guide where we will request the SSL certificate for our domain.
Request a Let's Encrypt (wildcard) certificate with the CloudFlare plugin
At this point it is time to finally request the SSL certificate from Let's Encrypt for your domain using the official automated DNS verification method that supports CloudFlare DNS through the API.
If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!
You can see if auto renewal will with the dry-run option of certbot:
The simulated certificate renewal should be running successfully.
You should create a cronjob that will run the renewal command and restart your web server after the certificate has been renewed.
Something like:
This runs the renewal command every night at 01:05 and also restarts your web server afterwards. Again adjust the commands to your system and web server!
To be able to actually perform automated Let's Encrypt certificate renewals you need your CloudFlare API token that has access to your DNS zones and can manage them. Through this API key the Let's Encrypt client can perfrom all necessary steps to perform the DNS verification for your domain, issue the certificate AND later on perform renewals that also generally require a re-verification of domain ownership through DNS.
- Open your browser and go to the CloudFlare homepage.
- Sign in with your CloudFlare account to proceed.
- Click on the profile icon at the top and select "My Profile" in the dropdown menu.
- On the page that is now open go to "API Tokens" option at the top.
- Down in the area "API Keys" click on the blue "View" button for the "Global API Key".
- Enter your CloudFlare account password and you will get your API key.
- Save this API key and always remember to keep it safe!
You have to keep the API key very safe as it allows basically full access to all features and functions of your CloudFlare account! You could create a dedicated API Token with access only to DNS zones but this is a very different matter and requires full knowledge of the available options when creating such dedicated tokens which is at the moment out of my scope and knowledge. If some permission is missing for the API token it is possible that the setup and renewal will simply fail as the Let's Encrypt client won't be able to perform its tasks.
Create a credential file for your API key
To make it easier to use the CloudFlare API key on your server you can create a simple credential file that contains all necessary information for the Let's Encrypt client or other software to use the CloudFlare API through your account and for you domains.
If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!
- Connect to your server and login as root or a user that has sudo rights.
- Create a directory called ".secrets" (you can actually call it how you want) with mkdir like:
Code: (Select All)mkdir ~/.secrets
- Create a empty file called cloudflare.ini inside the .secrets folder like:
Code: (Select All)touch ~/.secrets/cloudflare.ini
- Open the cloudflare.ini with a text editor like nano:
Code: (Select All)nano ~/.secrets/cloudflare.ini
- Paste the following into the file and fill in your CloudFlare e-mail address and the API key.
Code: (Select All)dns_cloudflare_email = "emailaddress"
dns_cloudflare_api_key = "apikey" - Save the file and close the text editor.
- To improve the security of the credential file setup the follow permissions for the folder and the file like:
Code: (Select All)chmod 0700 ~/.secrets/
chmod 0400 ~/.secrets/cloudflare.ini
That's it! Now you have a file that contains your CloudFlare API credentials to use them with the Let's Encrypt client or other software if necessary. We will actually use this in the next part of the guide where we will request the SSL certificate for our domain.
Request a Let's Encrypt (wildcard) certificate with the CloudFlare plugin
At this point it is time to finally request the SSL certificate from Let's Encrypt for your domain using the official automated DNS verification method that supports CloudFlare DNS through the API.
If you use a user that has sudo rights to perform any of the commands below always remember to add "sudo" before any of the commands where necessary!
- Install the certbot CloudFlare plugin:
Code: (Select All)apt-get install python3-certbot-dns-cloudflare
- Run the following command to request a wildcard certificate for your domain:
Remember to replace the domain with your actual domain that is hosted with CloudFlare DNS service.Code: (Select All)certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
- Fill in your e-mail address.
- Agree to all terms of services and similar agreements displayed to you.
- Wait for the client to perform the certificate request and DNS verification.
- Bingo! You have your certificate.
You can see if auto renewal will with the dry-run option of certbot:
Code: (Select All)
certbot renew --dry-run
The simulated certificate renewal should be running successfully.
You should create a cronjob that will run the renewal command and restart your web server after the certificate has been renewed.
Something like:
Code: (Select All)
1 5 * * * /usr/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
Now you have a free wildcard SSL certificate for your domain provided by Let's Encrypt and you have setup automated renewals based on CloudFlare DNS and the CloudFlare plugin for cerbot that performs automatic DNS domain verification. This way you never have to worry about expiring SSL certificates for your websites.
Again a huge thanks to @Neoon and his awesome NanoKVM service!
Thank you for reading my guide and I hope that it helps you with your journey on the web and as a VPS owner/webmaster.
Again a huge thanks to @Neoon and his awesome NanoKVM service!
Thank you for reading my guide and I hope that it helps you with your journey on the web and as a VPS owner/webmaster.