You may have configured a certbot certificate to use the webroot validation method but wish to use the Cloudflare DNS method instead. Using the Cloudflare DNS method allows you to renew your certificate independent of your web server state and configuration. These instructions apply to Red Hat-style distributions e.g., AlmaLinux, Rocky Linux, and CentOS.

Generate a Cloudflare API Token for your Domain

Create API token · Cloudflare Fundamentals docs

You will need to create a token that allows Zone:DNS:Edit to your desired domain. In accordance with the principle of least privilege, you may wish to permit requests only from your system’s static IP address (if applicable).

Store the Token

Save the token on your system. Since this file contains privileged information, ensure that it’s location and permissions are secure, e.g.:

vi /etc/letsencrypt/cloudflare_api.token

dns_cloudflare_api_token = [YOUR CLOUDFLARE API TOKEN]

chmod 600 /etc/letsencrypt/cloudflare_api.token

Install Required Packages

dnf -y install python3-certbot-dns-cloudflare

List Certificates

Use certbot certificates to list the configured certificates and note the Certificate Name of the certificate you wish to reconfigure.

certbot certificates

Found the following certs:
  Certificate Name: onezeroone.dev
    Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key Type: ECDSA
    Domains: onezeroone.dev www.onezeroone.dev
    Expiry Date: 2023-12-06 20:11:24+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/onezeroone.dev/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/onezeroone.dev/privkey.pem

Reconfigure the Certificate

Use the following command to reconfigure your desired certificate.

certbot reconfigure --cert-name onezeroone.dev --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare_api.token --dns-cloudflare-propagation-seconds 60

Relevant Links

• Welcome to certbot-dns-cloudflare’s documentation!
• Create API token · Cloudflare Fundamentals docs