I have several sites running with certbot. I have recently started using Cloudflare first without the proxy/CDN system on. But, for security reasons, I would like to have the cloudflare proxy/CDN activated.
I have installed dns-cloudflare plugin and made a dry-run for my domain and it has worked perfectly. Command was as follows:
sudo certbot renew --cert-name="pryrios.chasr.org" --dry-run --dns-cloudflare --dns-cloudflare-credentials /path/to/cloudflare.ini
Now I would like automated renewal process to work with this so that when system runs: certbot renew it will work. I thought that maybe updating manually the renewal config file it would work, but I have no clue on how to go about it. Renewal file looks like this:
# renew_before_expiry = 30 days version = 0.31.0 archive_dir = /path/to/certs_folder cert = /path/to/cert.pem privkey = /path/to/privkey.pem chain = /path/to/chain.pem fullchain = /path/to/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = apache installer = apache account = <ACCOUNT_KEY> server = https://acme-v02.api.letsencrypt.org/directory
I think I can change authenticator from “apache” to “dns-cloudflare” but I have no idea on how to tell it where the cloudflare credentials are stored. I am also worried on updating manually this file as the certbot documentation does not recommend to do so.
I am aware that generating a new certificate using both apache and dns-cloudflare would probably created a new renewal config file that would suite my needs, but I would prefer not to generate a new certificate as I will need to replicate this with other more importante sites (this is just a test).
Another option would be to stop automated renewal for this site and create a cronjob that runs the above command minus the --dry-run but I would also pretty much avoid this as certbot is already managing automated renewals.
Any idea on how to got about this?
EDIT: Seems that only by running the command to reissue (or renew) the certificate, renews it, reinstalls it and modifies the configuration, so I have ended up doing this. It works perfectly clean, although reissuing the certificate may not be the best option in all the cases (due to limits, I think).