Certbot DNS challenge with Apache and Cloudflare
A short post while I am thinking about this - because I sorta figured it out.
I am still working on sunsetting my monolithic server (well, it's a glorified desktop with relatively more storage than other hosts on my network), and was working on setting up CheckMK on a newly minted VM.
CheckMK is an open-source monitoring solution that I have used at home for some time, and wound up implementing it at work. It's .. almost a LAMP stack app, but without the M part.
Anyhow, the monitoring only exists within my network, so a typical HTTP validation with LetsEncrypt wasn't something that I would be doing.
So - finding https://www.applefritter.com/content/configurig-lets-encrypt-dns-01-challenge-debian-10-buster gives me a quick run-down of some of the starting bits.
Debian packages we'll need to install (and their dependencies):
1apt update 2apt install certbot python3-certbot-dns-cloudflare python3-certbot-apache
I imagine if you were using nginx, you'd want to get the
python3-certbot-nginx package instead.
Create a file,
cloudflare.ini, somewhere safe on your filesystem with the following contents:
1# Cloudflare API credentials used by Certbot 2dns_cloudflare_email = [email protected] 3dns_cloudflare_api_key = 111111111111111111111111111111
Replace the email with your Cloudflare email address.
The API key must be your global API key. You can get this from https://dash.cloudflare.com/profile/api-tokens. Choose the "Global API Key".
Set the filemode to 0600 (certbot will complain if it's not safe).
With that wired up, get Certbot to do a dry run with Cloudflare:
certbot certonly --dry-run --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini -d <domain>
Assuming success with the dry run, time to do it live:
certbot --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini --installer apache -d <domain>
Reload your website, hopefully with a freshly issued certificate!