Let's make Let's Encrypt work with Cloudflare

  1. I have 50 domains.
  2. All of them are on Cloudflare
  3. I don't remember which command I used to issue a new certificate: certbot --apache OR certbot --auto for some I used
    certbot certonly --manual -d domainname.com -d www.domainname.com --preferred-challenges="dns"
    and for some
    certbot certonly --webroot-path /var/www/public_html/domainname.com/public --renew-by-default --email myemail@gmail.com --text --agree-tos -d domainname.com -d www.domainname.com --preferred-challenges http

It's a little messy, I know. If I knew the best way to purge all and go for one updated solution I'd go for it. I read quite a few topics on your forum similar to this one. I read that http1 challenges are deprecated. The topic is old. I CAN'T ADD A WILDCARD REDIRECT to Cloudflare because I am a free user and all the page rules I can apply are already busy for all the domain names.

  1. MY GOAL IS: To be able to auto renew all the existing certificates using a single command without getting errors when I have the orange cloud active on cloudflare. I can't manually go and deactivate it for every domain. It's just a pain to do so. I'll be happy to keep both let's encrypt and cloudflare certificate while using "FULL STRICT" on Cloudflare. I'm looking for a 2021st updated solution. Please help. Thanks in advance!

  2. My web server is (Apache latest version)

  3. The operating system my web server runs on is (Debian 9 64-bit)

  4. I can login to a root shell on my machine (YES)

  5. I'm using a control panel to manage my site (NO)

  6. The version of my client is (Certbot 0.28.0)

You might not be able to add a wildcard redirect but you should be able to obtain a wildcard cert via DNS authentication. [Both of your example commands are using DNS challenges]

So it might not alleviate the free limit but it would make cert assignments really easy if you only have one cert.
Given: a one entry wildcard would only cover subdomains from that one domain.
[but the SAN field can hold 100 entries - enough for 50 root domains and the 50 matching wildcards]


Hi @bjordanov

All of them are on Cloudflare

if you use Cloudflare, normally, you have redirects http -> https.


  • Letsencrypt follows these redirects, validation via your port 80 may not work -> --apache can't work
  • Use the webroot of your https - that should always work, if you don't need wildcards.

Thanks to both of you for your suggestions and immediate answers. What should I do to purge all the existing certificates (and do I have to) and then what are the steps to go trough to achieve the soultion @rg305 suggests? Thanks! Am I looking for the right syntax to list all my domain names in a single command? Or is there a smarter solution I'm not seeing.

The DNS Challanges work perfectly for me but it's not an option to write 50 commands.

1 Like

if your webserver only talk to cloudflare, why not use it's Origin CA?

1 Like

You don't need to purge anything.
They can be replaced as they expire.
Once you renew them the way you want, you only need to run:
certbot renew

[which should already be run in cron or systemd timer]


Thanks for this suggestion but I'm trying to avoid installing any 3rd party software on the web server. I love let's encrypt. I can't say the same for Cloudflare. I just use them because they are a free solution atm.

Can you please confirm that if I use:

certbot certonly --manual -d domainname.com -d www.domainname.com --preferred-challenges="dns"

for every single domain and configure an acme challange for it then I'll be able to renew all just by using the certbot renew command? Thanks!

You can't automate a command that includes --manual process.
You need to use a DNS API plugin that can handle that for you.


and you don't want to use dns validation. http validation works.

If your older configuration is a mess, it may be required to fix that mess. Domain per domain.

1 Like

he's try to get a wildcard, so he does need dns challenge

1 Like

to be automate dns challenge you need to give client an api to update it
keep mind you already agree to cloudflare to be sit in the middle seeing all traffic in plaintext (don't send plainetext password by cloudflare!) I'd just use cloudflare cert it give from panel if you trust cloudflare enought for that.

1 Like

I feel like I'm back to the same loop. Can you please suggest the exact steps to go trough to achieve what I want in point 4. of the main thread? Thanks! @orangepizza As I already said it's one thing to send Cloudflare my data directly. It's another thing to send it encrypted.

I think this is partly to blame for the confusion.
HTTP authentication has not been deprecated.
[HTTPS was but that is another story]

If you want a wildcard you will need to use DNS authenticated challenges.
If you want to automate the DNS challenges, you will need to use a DNS API plugin.
If you can't, or don't want to, use DNS authentication, then you will have to use HTTP.
HTTP through CloudFlare is a bit tricky but possible and can be easily automated.

And one last option is to also use CloudFlare to encrypt the connection form them to your server.
Which was mentioned above.


you don't send E2E encrypted data to user, CF will sit in the middle and decrypt the traffic. (that's only why to them to see client request and send from cache if they have one.


So are you saying that the HTTP is the way to go? If so where can I read how to configure and automated it for my case?
What exactly do you mean by "DNS API plugin" the one from Cloudflare?

In order to automate the required TXT record creation (to pass the DNS authentication request), you must use an ACME client that supports DNS API and use a DNS service provider that supports updates to your DNS zone via that API.
Or you will have to do that manually 50 times every 60 days - no deal!

It may get confusing because CloudFlare can be your DNS service provider (or not).
And CloudFlare can also be your CDN (or not).


Ok. I think I understand. I have different places I bought the domains from but I'm using Cloudflare as a DNS provider and a CDN at the same time. So where do I get that plugin to solve my eternal pain?

I found solutions like this one: https://github.com/joohoi/acme-dns-certbot-joohoi

My only concern is that it's updated 3 years ago. If this is the so called "plugin" I think it'll do. Please if anyone has a similar issue to mine join the topic and share your solution. Thanks!

Alternatively this is the cloudflare plugin I found: https://certbot-dns-cloudflare.readthedocs.io/en/stable/

This works perfectly with acme-dns, which is what it's supposed to do. I wouldn't expect it to work with Cloudflare.