How to Setup Lets Encrypt SSL on Ubuntu 18.04 with CloudFlare

Updating SSL certificates is one of those repetitive and boring tasks that you have to do managing a web server. But, it’s also one of the most important when it comes to the security of your website. So lets automate it!

To get started, we’re going to need to download Certbot and install it by running the following commands listed below.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python3-certbot-dns-cloudflare

After Certbot has been installed on your server, we need to check what plugins are installed.

certbot plugins

The output should look something like this.

-------------------------------------------------------------------------------
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

Nginx Plugin (Optional)

If you have Nginx installed as your web server, run the following command listed below.

sudo apt-get install certbot python-certbot-nginx 

Apache Plugin (Optional)

sudo apt-get install certbot python-certbot-apache

Or, if you have Apache installed as your web server, run the following command listed below.

Now that everything you’ll need is installed, we need to give Certbot access to your CloudFlare account so it can prove that you own the domain you are requesting a SSL certifcate for.

To do this, you’ll need your CloudFlare global API key. This can by found by logging into your CloudFlare account, going to your account settings, and it should be towards the bottom of the page.

Once you have copied your global API key, we need to put it in a configuration file on your server.

sudo nano /etc/letsencrypt/CloudFlare.ini

Past this in your CloudFlare.ini file and replace the username with the email address you use with your CloudFlare account, and the replace the password with your global API key.

# CloudFlare API key information
dns_cloudflare_api_key = 1234567890
dns_cloudflare_email = [email protected]

Now we need to change the file permissions so only the root user can access it.

sudo chmod 600 /etc/letsencrypt/CloudFlare.ini

After completing all of the configuration steps listed above, it’s time to request and install your SSL certificate.

sudo certbot certonly -d *.YourDomain.com --dns-cloudflare

If everything completed successfully, you should receive a message similar to the one below.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for YourDomain.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/YourDomain.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/YourDomain.com/privkey.pem
 Your cert will expire on 2018-06-12. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

And that’s it! Your server now has a new SSL certificate valid for the next 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.