HeQihan

HeQihan

HomeArchives

How to apply for an SSL certificate using Cloudflare

#Coding154
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the process of obtaining a new SSL certificate for a Huawei cloud server after the previous one expired. Due to challenges with using Certbot for Let's Encrypt certificates in China, the author suggests using Cloudflare for a more reliable method. **Steps to obtain the SSL certificate:** 1. **Domain Hosting:** Transfer the domain to Cloudflare. 2. **Install Certbot:** Connect to the server via SSH and install Certbot and the Cloudflare DNS plugin. 3. **API Token:** Create an API token in Cloudflare with necessary permissions for DNS management. 4. **Configuration File:** Save the API token in a secure `.ini` file on the server. 5. **Run Certbot:** Execute the Certbot command to request the SSL certificate, ensuring to account for DNS propagation delays. The certificate will automatically renew before the API token expires. If the certificate still shows as expired after renewal, reload the web server configuration.

The Huawei cloud server applied for a year ago has already expired, and the new server requires a brand new SSL certificate. Due to the network environment issues in China, using Certbot to apply for a Let's Encrypt certificate can be quite challenging. In the initial period of opening the blog, I could only rely on Cloudflare's free CDN to pretend to have certificate encryption...
Now, a good era has arrived! As long as the domain is hosted on Cloudflare, a more reliable method can be used to apply for the certificate.

This method requires command line access and a Cloudflare API token

Step 1#

Host the domain on Cloudflare. The process is brief; you can search online for tutorials. This is about emphasizing what is important and downplaying what is less so.

Step 2#

First, we need to connect to the server using SSH. Then install Certbot, which is a free open-source tool that helps us automate the acquisition and installation of SSL certificates.

sudo apt-get update
sudo apt-get install certbot

Then install the Cloudflare plugin for automated DNS verification.

sudo apt-get install python3-certbot-dns-cloudflare

Step 3#

Next, we need to apply for an API token in Cloudflare to prepare for the DNS verification, with permissions at least for reading and editing DNS firewall, and reading and editing DNS. (Make sure to save the token)

Image

Step 4#

Create an ini file to save the API token on the server; I prefer using nano.

sudo mkdir ~/.secrets
sudo mkdir ~/.secrets/certbot
sudo nano ~/.secrets/certbot/cloudflare.ini

Input the following content in nano, replacing your-cloudflare-api-token with your own API token.

dns_cloudflare_api_token = your-cloudflare-api-token

Then we need to ensure that the permissions of the credentials file are secure.

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Step 5#

Run the Certbot command to automate the certificate application.

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  -d example.com \
  -d www.example.com

Replace example.com and www.example.com with the domain you want to apply for, but this command often fails. Due to DNS record propagation delays, Let's Encrypt may not find the required DNS TXT records, resulting in an error. We can increase the DNS record propagation time to ensure that the TXT records have enough time to propagate to all DNS servers. Generally, 60 seconds is sufficient.

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d example.com \
  -d www.example.com

In this way, the certificate application is successfully completed, and it will automatically renew each time the certificate expires (of course, before the API token expires), which is quite convenient. If the API token expires, just modify the cloudflare.ini file and rerun this command.

2025/4/28

If the certificate still shows as expired after updating, you can manually reload the web server configuration.

sudo systemctl reload nginx

or

sudo systemctl reload apache2

That should work.

This article was synchronized and updated to xLog by Mix Space
The original link is https://www.actorr.cn/posts/default/cloudflare_and_certificate

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.