If you use Cloudflare for your DNS, Certbot makes it easy to get a wildcard SSL certificate with automatic DNS verification. A wildcard certificate allows you to use one certificate that is valid for all subdomains on your domain (i.e., example.com, wiki.example.com, files.example.com).
Using the Cloudflare DNS plugin, Certbot will create, validate, and them remove a TXT record via Cloudflare’s API. This process proves that you own the domain in question (and are authorized to obtain an SSL certificate for the domain).
Install Certbot
apt-get instal python3-certbot-dns-cloudflare
Configure Cloudflare Credentials
You will need the email address associated with your Cloudflare account, and your Cloudflare Global API Key.
Create a secrets directory
mkdir /root/.secrets/
touch /root/.secrets/cloudflare.ini
Add credentials to secrets file
nano /root/.secrets/cloudflare.ini
The file should contain the following:
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = yourapikey
Save the file (Control + X, press ‘Y’ to Save, and press Enter).
Secure the secrets file
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini
Get your Certificates
Now that you’ve finished setting up Certbot, it’s time to get your certificates from LetsEncrypt.
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
Your certificates will be saved to /etc/letsencrypt/live/example.com/.
Do not move the certificates from this folder.
Renewal
Certbot creates a renewal script that runs twice per day and automatically renews certificates that are due to expire within the next 30 days. You can verify this script is running by using sudo systemctl status certbot.timer.