Renew certificate with certbot-dns-cloudflare’s?


I already configured my SSL using by following this tutorial

I configured it using certbot cert-only, and it suggests uses HTTP verification method.
I want to change the verification method using DNS certbot-dns-cloudflare

But I can’t find the documentation for renewing the certificate, how to renew the existing certificate?
and do I have to select the propagation to other than Automatic TTL?



What have you done so far?

Have you installed the cloudflare plugin?

Thank you


If you haven’t done so, try to follow this tutorial on install that plugin / configture it.

Please follow the tutorial and stop before execute this command (Ubuntu Users) : $ sudo apt install python-certbot-dns-cloudflare (Thanks @_az)

After that, please use the below command to convert the existing certificate (the one you wish to change) to use CloudFlare DNS validation: (replace the and all related domains to yours)
sudo certbot -a dns-cloudflare ---cert-name --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d, --preferred-challenges dns-01

This shouldn’t be an issue.

After you convert the certificate, you could just use certbot renew like before, but it would renew by CloudFlare DNS validation instead of the regular HTTP validation.

Thank you


If @khasburrahman is using the Ubuntu PPA, they should avoid installing from pip if they can:

sudo apt install python-certbot-dns-cloudflare


Ok I followed the tutorial, I just changed the secret file to to exists in ubuntu user folder

sudo certbot -a dns-cloudflare --cert-name --dns-cloudflare-credentials /home/ubuntu/.secrets/cloudflare.ini -d --preferred-challenges dns-01

and when I run the command it returns

Saving debug log to /var/log/letsencrypt/letsencrypt.log
With the dns-cloudflare plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --dns-cloudflare

(Alternatively, add a --installer flag. See
 and "--help plugins" for more information.)

So I run with

sudo certbot certonly -a dns-cloudflare --cert-name --dns-cloudflare-credentials /home/ubuntu/.secrets/cloudflare.ini -d --preferred-challenges dns-01

then it asks me to generate a new one, or keep the existing, Should I generate a new one?

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate


I would suggest to replace the file now (and reload the server after the new certificate issued).

Thank you


Thank you so much! Appreciate it!


Renewal is done with certbot renew. Perhaps Ubuntu already has a systemd timer in place.

closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.