You may have configured a certbot certificate to use the webroot validation method but wish to use the Cloudflare DNS method instead. Using the Cloudflare DNS method allows you to renew your certificate independent of your web server state and configuration. These instructions apply to Red Hat-style distributions e.g., AlmaLinux, Rocky Linux, and CentOS.
Generate a Cloudflare API Token for your Domain
Create API token · Cloudflare Fundamentals docs
You will need to create a token that allows Zone:DNS:Edit to your desired domain. In accordance with the principle of least privilege, you may wish to permit requests only from your system’s static IP address (if applicable).
Store the Token
Save the token on your system. Since this file contains privileged information, ensure that it’s location and permissions are secure, e.g.:
# vi /etc/letsencrypt/cloudflare_api.token
dns_cloudflare_api_token = [YOUR CLOUDFLARE API TOKEN]
# chmod 600 /etc/letsencrypt/cloudflare_api.token
Install Required Packages
# dnf -y install python3-certbot-dns-cloudflare
List Certificates
Use certbot certificates
to list the configured certificates and note the Certificate Name of the certificate you wish to reconfigure.
# certbot certificates
Found the following certs:
Certificate Name: onezeroone.dev
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: onezeroone.dev www.onezeroone.dev
Expiry Date: 2023-12-06 20:11:24+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/onezeroone.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/onezeroone.dev/privkey.pem
Reconfigure the Certificate
Use the following command to reconfigure your desired certificate.
# certbot reconfigure --cert-name onezeroone.dev --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare_api.token --dns-cloudflare-propagation-seconds 60
Relevant Links
- Share: