Generating a Lets Encrypt SSL certificate with Cloudflare

This blog post walks through generating an SSL certificate with certbot from Let's Encrypt, specifically, when your DNS is with Cloudflare. For those on Cloudflare wondering why you would want to generate an SSL certificate, it is if you want to run Cloudflare on "Full" SSL mode. More about the modes in my blog What are the different SSL modes on Cloudflare?. Alternatively, if you are using Cloudflare for just DNS or wish to have a sub-sub domain, then an SSL certificate will need to be generated for it to be available.

This post assumes you know what SSL certificates are, and who Let's Encrypt are

Certbot generates an SSL certificate by contacting the Let's Encrypt servers for a challenge. Using the API, the challenge is then placed in your Cloudflare DNS entries as a TXT entry. The Let's Encrypt servers then accept this challenge (if the domain name matches) and issue the certificate.

Set up the API

Before we get generating, we need to create and set up an API token so that our server can modify the DNS

Go to

Make a new one called certbot (create custom token)


zone | dns | edit zone | zone | read

Include all zones

IP Address filtering:

IP of the server

Copy the key

(run the test that is recommended to make sure the is address is right)

Or is it

"Global API Key" when installed with:

apt install certbot python-certbot-apache python3-certbot-dns-cloudflare

dns_cloudflare_email = [email protected] dns_cloudflare_api_key = ccf454044628751621a5dfc14271f98c95bbe

switch to root, make a new folder in /root/.secrets/certbot/

Make file called cloudflare.ini

with contents:

dns_cloudflare_api_token = "XXXXX"

chmod (chmod 600 .serects -r)

apt install python3-pip pip3 install certbot pip3 install certbot-dns-cloudflare

sudo certbot certonly
--dns-cloudflare --dns-cloudflare-credentials /root/.keys/cloudflare.ini
-d,* --preferred-challenges dns-01

Edit apache conf file

<VirtualHost *:80> ### Virtual host configuration ### ServerName ServerAlias VirtualDocumentRoot /var/www/

### Redirect all traffic to HTTPS ###
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

### Logging ###
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log vhost_combined
### SSL Proxy server ###
SSLProxyEngine on

ServerName {DOMAIN}
ServerAlias *.{DOMAIN}

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mikestreety/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mikestreety/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/mikestreety/chain.pem
This website is currently having a full content audit - apologies if some of the code or content looks a bit funky!

View this post on Gitlab

You might also enjoy…

Mike Street

Written by Mike Street

Mike is a front-end developer from Brighton, UK. He spends his time writing, cycling and coding. You can find Mike on Twitter.