[EN] Using Certbot with Cloudflare for Wildcard Certificates

If you have worked with Certbot to issue your certificated you may have seen that Cloudflare supports Wildcard certificates since Summer of this year. Problem is, that the DNS01 Plugin used for authenticating against Cloudflare to issue those certificates is currently only supported in Docker or on newer OS versions.

However, it is possible to simply build the Let's Encrypt Certbot from Source yourself. The only thing you need is python and git, which can simply be installed with:

$ apt-get install python git

After that you can do the following steps to install Certbot from Source:

$ mkdir certbot; cd certbot
$ git clone https://github.com/certbot/certbot .
$ sudo python setup.py install
$ cd certbot-dns-cloudflare
$ sudo python setup.py install

This should install the certbot command along with the cloudflare plugin into your /usr/local/bin folder. After opening a new shell session, the command should then be globally available. You can verify that everything has installed correctly by running

$ certbot plugins

This should give you an output like:

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

When all this is set and done you can create the configuration file that lets the Certbot gain access to the Cloudflare API. The recommended Folder would be /etc/letsencrypt/ so we issue the following commands:

$ cd /etc/letsencrypt
$ touch cf.ini
$ chmod 600 cf.ini
$ nano cf.ini

After that you enter your credentials into that file like so:

dns_cloudflare_api_key=YourAPIKeyFromCloudflareCom
dns_cloudflare_email=YourAccountEMail

Additionally we can modify the cli.ini to let the certbot know where to find the .ini we just created. It works without it, but if we decide not to modify the cli.ini we have to specify the location every time. So just open the

/etc/letsencrypt/cli.ini

and configure it:

# Cloudflare INI
dns-cloudflare-credentials=/etc/letsencrypt/cf.ini
# Production ACME
server=https://acme-v02.api.letsencrypt.org/directory 

We are done!

Now we can simply use one command to issue a certificate.

Beware of one major Pitfall:
If you intend to use the domain with subdomains as well as the main domain you have to merge the two domains, otherwise you will get an error when accessing your main domain!

Example:
You have the following Domains all pointed to the same htdocs directory:
mydomain.com, www.mydomain.com and sub.mydomain.com.

You tell cerbot that it should issue a wildcard certificate for "mydomain.com" like so:

$ sudo certbot certonly -d *.mydomain.com --dns-cloudflare

 After configuring the Webserver to actually use those newly created certificates and a quick restart you will be able to access both "www.mydomain.com" and "sub.mydomain.com" with no problems at all, but will run into an error accessing "mydomain.com". This is, because the wildcard certificate does not actually include the main domain record, but only the subdomains! But there is a simple fix for that: You can just issue a certificate for both at the same time like so:

$ sudo certbot certonly -d *.mydomain.com,mydomain.com --dns-cloudflare

This will still only output one certificate for the Domain, but will include both mydomain.com and all the subdomains.



ADDENDUM

As you may know Certbot Certificates are only valid for 90 Days, so you should have a system to automatically renew those certificates. Certbot generally creates a File in the cron.d folder to renew certificates, however it does automatically restart your webserver, which can cause issues. Thankfully there is a simple fix for that (replace nginx with httpd, in case you are using apache):

$ nano /etc/cron.d/certbot

# Run Certbot twice a Day and restart nginx only IF a renew happened!
0 */12 * * * root test -x /usr/bin/certbot && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "/etc/init.d/nginx reload"

Note 1 This is a Cronfile, so beware that you add an empty line after the command, otherwise your cronjob will not be able to run!

Note 2 This runs twice a day, because it does check for invalid certificates anyway, so there is now overhead with this command.

Note 3 Please do NOT remove the random sleep interval! Otherwise everyone who is using certbot would be accessing the Let's Encrypt API at the exact same time resulting in - essentially - a DDOS Attack for them!