Cloudflare certbot renew automation

Sorry if this has been posted before I’ve searched around the forums and web and have included a manual solution below.

I followed this guide to be able to renew cert while using Cloudflare:

It works! However, will these renew settings be remembered? Or will I have to manually run this command every 6 months? How can I automate using the DNS preferred challenge? Or is there an easier solution challenge method compatible with Cloudflare and can be auto renewed without having to login to server and run the certbot command?


My domain is:

I ran this command:
certbot certonly --manual -d -d --preferred-challenges=“dns”

It produced this output:
it worked.

My web server is (include version):

The operating system my web server runs on is (include version):
Debian 9

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @james_1,

If you use --manual without a script to perform the authentication, then it can’t be used in an unattended renewal. Therefore, with your current setup you could not get automated renewals.

If you can get or write a script that performs the steps necessary to complete the authentication step (in this case making the appropriate DNS changes for you), you can provide that to Certbot as an --auth-hook and then you can perform automated renewals using that script.

1 Like

Thanks! Unfortunately the DNS changes are made via Cloudflare. Are there other compatible auth methods besides DNS which work with Cloudflare?

Apparently CloudFlare does have an API, which is for example natively supported by the client:

There’s only one other authentication method still supported by Let’s Encrypt, called HTTP-01. This method is based on the ability to post specified files on your web site (which are then accessed via HTTP on port 80). In principle this works behind CloudFlare. It’s supported by the --webroot method in versions of Certbot before 0.21, and by either --webroot or --nginx in Certbot 0.21 and later, among other possibilities.

1 Like

certbot also has a CloudFlare DNS plugin available:

It’s not included in the official package though, and I don’t think it’s included in certbot-auto too… So how to use it on your system is unclear to me. I installed another DNS plugin on Gentoo with a custum ebuild (which works great), but it’s unlikely you can benefit from that.

1 Like

Yeah, this is currently extremely tricky for certbot-auto users.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.