Create an Automatic SSL Certificate with Certbot and Cloudflare

Do you want to secure your website with an SSL certificate and ensure it stays up to date automatically? Certbot along with the Cloudflare plugin simplifies the process by automating certificate issuance and renewal. Certbot is a widely used tool for obtaining and managing SSL certificates, and Cloudflare provides a reliable DNS infrastructure with handy API & Python tools to enable automation. In this tutorial, I will guide you step-by-step on how to create a new SSL certificate with Certbot and set up auto-renewal for your domain using Cloudflare.

Prerequisites

Before we begin, make sure you have the following:

• A server with SSH access and a sudoer account
• A Cloudflare account
• Cloudflare domain API credentials (API key and Zone ID)

Step 1: Install Certbot and Cloudflare Plugin

To get started, ensure that Certbot is installed on your server. The installation process may vary depending on your operating system. You can refer to the Certbot documentation for detailed instructions.

Additionally, install the Certbot Cloudflare plugin:

sudo apt-get install certbot python3-certbot-dns-cloudflare

Step 2: Obtain Cloudflare API Credentials

To interact with the Cloudflare API, you’ll need API credentials. Follow these steps to obtain them:

1. Log in to your Cloudflare account.
2. Navigate to the “My Profile” section.
3. Go to the “API Tokens” tab.
4. Click on “Create Token”.
5. Select the appropriate permissions for your token (e.g., Zone:Zone:Read, Zone:DNS:Edit).
6. Click on “Continue to Summary”.
7. Review the token settings and click on “Create Token”.
8. Make note of the API Key and Zone ID as you’ll need them later.

Step 3: Generate the SSL Certificate

First, create a new file named .cloudflare_creds.ini and populate it with the following content:

dns_cloudflare_api_token = your_cloudflare_api_key
dns_cloudflare_zone_id = your_cloudflare_zone_id

Replace your_cloudflare_api_key and your_cloudflare_zone_id with the respective values obtained in Step 2 and save the file.

Protect your credentials:

chmod 600 /path/to/.cloudflare_creds.ini

Let this guide also be a reminder to ensure any public-facing applications on the server are configured to run on their own unprivileged account. ex. Docker running on a ‘docker’ account instead of your user account or root. This will help prevent major vulnerabilities via your front-end applicaitons.

Now, let’s generate the SSL certificate for your domain using Certbot and the Cloudflare plugin. Run the following command:

sudo certbot certonly
--dns-cloudflare
--dns-cloudflare-credentials /path/to/.cloudflare_creds.ini
-d example.com -d www.example.com

Replace example.com and www.example.com with your actual domain and any subdomains you want to include in the certificate. You can also opt to use a wildcard ex: *.example.com so the certificate will work with any subdomain of example.com. This wildcard is especially useful for load balancing, proxy, and container servers that service multiple subdomains as it will not allow attackers to enumerate your services by simply looking at the certificate.

Step 4: Set Up Auto-renewal

To ensure that your SSL certificate remains valid and up to date, you can set up auto-renewal for Certbot. Additionally, by using Certbot’s built-in post-hook functionality, you can automatically execute a script after a successful certificate renewal.

Run the following command to edit your crontab:

sudo crontab -e

Add the following line to have Certbot check to see if your certificate is ready for renewal twice a day:

0 3,15 * * * certbot renew --quiet

Save the file and exit the editor.

Next we create the post-hook script. After a successful renewal, all scripts in the ‘renewal-hooks’ directory will be executed. We will use this to restart our Docker server so the new certificates can be loaded. We’ll put our script in the ‘post’ directory so it runs after a successful renewal.

Create the file /etc/letsencrypt/renewal-hooks/post/001-restart-docker.sh:

sudo nano /etc/letsencrypt/renewal-hooks/post/001-restart-docker.sh

Add the following content to the script:

#!/bin/bash
echo "SSL certs updated"
echo "Restarting Docker..."
systemctl restart docker

This script outputs a message indicating that the SSL certificates were updated and then restarts Docker.

Make sure the script is executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/001-restart-docker.sh

With this configuration, Certbot will automatically attempt to renew your SSL certificate twice a day. After a successful renewal, the post-hook script will be executed, restarting Docker.

That’s it! You’ve successfully generated a new SSL certificate using Certbot with the Cloudflare plugin and set up auto-renewal through a cron job. Your certificate will now be automatically renewed when it nears expiration, ensuring the continued security of your website.