Certbot DNS challenge with Apache and Cloudflare

A short post while I am thinking about this - because I sorta figured it out.

I am still working on sunsetting my monolithic server (well, it's a glorified desktop with relatively more storage than other hosts on my network), and was working on setting up CheckMK on a newly minted VM.

CheckMK is an open-source monitoring solution that I have used at home for some time, and wound up implementing it at work. It's .. almost a LAMP stack app, but without the M part.

Anyhow, the monitoring only exists within my network, so a typical HTTP validation with LetsEncrypt wasn't something that I would be doing.

So - finding https://www.applefritter.com/content/configurig-lets-encrypt-dns-01-challenge-debian-10-buster gives me a quick run-down of some of the starting bits.

Debian packages we'll need to install (and their dependencies):

1apt update
2apt install certbot python3-certbot-dns-cloudflare python3-certbot-apache

I imagine if you were using nginx, you'd want to get the python3-certbot-nginx package instead.

Anyhow. Credentials!

Create a file, cloudflare.ini, somewhere safe on your filesystem with the following contents:

1# Cloudflare API credentials used by Certbot
2dns_cloudflare_email = [email protected]
3dns_cloudflare_api_key = 111111111111111111111111111111

Replace the email with your Cloudflare email address.

The API key must be your global API key. You can get this from https://dash.cloudflare.com/profile/api-tokens. Choose the "Global API Key".

Set the filemode to 0600 (certbot will complain if it's not safe).

With that wired up, get Certbot to do a dry run with Cloudflare:

certbot certonly --dry-run --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini -d <domain>

Assuming success with the dry run, time to do it live:

certbot --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini --installer apache -d <domain>

Reload your website, hopefully with a freshly issued certificate!