Wildcard SSL Certificates with Certbot + Cloudflare

If you use Cloudflare for your DNS, Certbot makes it easy to get a wildcard SSL certificate with automatic DNS verification. A wildcard certificate allows you to use one certificate that is valid for all subdomains on your domain (i.e., example.com, wiki.example.com, files.example.com).

Using the Cloudflare DNS plugin, Certbot will create, validate, and them remove a TXT record via Cloudflare’s API. This process proves that you own the domain in question (and are authorized to obtain an SSL certificate for the domain).

Install Certbot

apt-get instal python3-certbot-dns-cloudflare

Configure Cloudflare Credentials

You will need the email address associated with your Cloudflare account, and your Cloudflare Global API Key.

Create a secrets directory

mkdir /root/.secrets/ touch /root/.secrets/cloudflare.ini

Add credentials to secrets file

nano /root/.secrets/cloudflare.ini

The file should contain the following:

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = yourapikey

Save the file (Control + X, press ‘Y’ to Save, and press Enter).

Secure the secrets file

sudo chmod 0700 /root/.secrets/

sudo chmod 0400 /root/.secrets/cloudflare.ini

Get your Certificates

Now that you’ve finished setting up Certbot, it’s time to get your certificates from LetsEncrypt.

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

Your certificates will be saved to /etc/letsencrypt/live/example.com/.

Do not move the certificates from this folder.


Certbot creates a renewal script that runs twice per day and automatically renews certificates that are due to expire within the next 30 days. You can verify this script is running by using sudo systemctl status certbot.timer.