How to Setup Lets Encrypt SSL on Ubuntu 18.04 with CloudFlare

Updating SSL certificates is one of those repetitive and boring tasks that you have to do managing a web server. But, it’s also one of the most important when it comes to the security of your website. So lets automate it!

To get started, we’re going to need to download Certbot from Github and install it by running the commands below.

git clone https://github.com/certbot/certbot
cd certbot
sudo python setup.py install

After Certbot has been installed on your server, we need to check what plugins are installed.

certbot plugins

After running the above command, you should see the following output.

-------------------------------------------------------------------------------
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

Since the CloudFlare DNS authenticator plugin isn’t in the list, we need to add it.

cd certbot-dns-cloudflare
sudo python setup.py install

Now let’s check the installed Certbot plugins again.

certbot plugins

The output should look something like this.

-------------------------------------------------------------------------------
* dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using
Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare =
certbot_dns_cloudflare.dns_cloudflare:Authenticator

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
-------------------------------------------------------------------------------

Now that everything you’ll need is installed, we need to give Certbot access to your CloudFlare account so it can prove that you own the domain you are requesting a SSL certifcate for.

To do this, you’ll need your CloudFlare global API key. This can by found by logging into your CloudFlare account, going to your account settings, and it should be towards the bottom of the page.

Once you have copied your global API key, we need to put it in a configuration file on your server.

sudo nano /etc/letsencrypt/CloudFlare.ini

Past this in your CloudFlare.ini file and replace the username with the email address you use with your CloudFlare account, and the replace the password with your global API key.

# CloudFlare API key information
dns_cloudflare_api_key = 1234567890
dns_cloudflare_email = [email protected]

Now we need to change the file permissions so only the root user can access it.

chmod 600 /etc/letsencrypt/CloudFlare.ini

After completing all of the configuration steps listed above, it’s time to request and install your SSL certificate.

sudo certbot certonly -d *.YourDomain.com --dns-cloudflare

If everything completed successfully, you should receive a message similar to the one below.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for YourDomain.com
Starting new HTTPS connection (1): api.cloudflare.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
Starting new HTTPS connection (1): api.cloudflare.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/YourDomain.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/YourDomain.com/privkey.pem
 Your cert will expire on 2018-06-12. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"
 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
 Donating to EFF: https://eff.org/donate-le

And that’s it! Your server now has a new SSL certificate valid for the next 90 days.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.