PieHost

Rabikant

Posted on March 9th

Wildcard SSL Certificates with Certbot + Cloudflare

"Let's learn about Wildcard SSL Certificates with Certbot + Cloudflare and automatic renewal on production"

What Is Wildcard SSL Certificate ?

A wildcard SSL certificate is effective for the first level domain and all intermediate subdomains but in a single certificate. For example, a wildcard certificate for *.example.com would cover:

  • example.com
  • www.example.com
  • blog.example.com
  • shop.example.com

Wildcard certificates are ideal for website that has multiple sub domains since organizing of certificates is ease and there is a warranted secure connection in the domain.

The Cloudflare & Certbot Tutorial for Wildcard Certificates

Certbot is the most recommendable tool used when it comes to installation and SSL certificate renewal from Let’s Encrypt. Cloudflare’s DNS API, When combined with Certbot, the DNS-01 challenge needed to validate wildcard certificates can be executed by Certbot without any manually input from the user. This makes it possible for Certbot to create DNS records required for domain validation, and the entire process is fast, reliable, and has standard results because of the Cloudflare API.

Prerequisites

  1. Cloudflare Account: Ensure Cloudflare manages the DNS of your domain.
  2. Cloudflare API Token: This token helps Certbot to communicate with Cloudflare to create the necessary DNS-01 challenges.
  3. Server with Certbot: Certbot must, ideally, be run on a Unix-based host operating system such as Ubuntu.

Setting Up a Wildcard SSL Certificate with Certbot and Cloudflare

Step 1: Install Certbot and the Cloudflare Plugin

If Certbot is not yet installed on your server, you can install it along with the Cloudflare DNS plugin using the following commands:

sudo apt update
sudo apt install certbot python3-certbot-dns-cloudflare

These commands install Certbot and the Cloudflare plugin, allowing Certbot to manage DNS challenges directly with Cloudflare’s API.

Step 2: Generate a Cloudflare API Token

Using a restricted API token instead of your Global API Key is safer, as it limits permissions to just what Certbot needs.

  1. Log in to Cloudflare and navigate to API Tokens:
    • Go to My Profile > API Tokens > Create Token.
  2. Create a Custom Token with limited permissions:
    • Under Permissions, select:
      • ZoneDNS -> Edit
    • Under Zone Resources, choose:
      • Include > Specific Zone > Select your domain(s).
  3. Generate and Save the Token for later use.

Step 3: Store the Cloudflare API Token on Your Server

To keep your API token secure, store it in a file with restricted permissions.

  1. Create the configuration file:

    • Create a file called cloudflare.ini in the /etc/letsencrypt directory:
    sudo nano /etc/letsencrypt/cloudflare.ini

  2. Add the API token to the file:

    • Paste the following content, replacing YOUR_API_TOKEN with your actual API token:
    dns_cloudflare_api_token = YOUR_API_TOKEN

  3. Secure the file:

    • Set permissions so only root can access it:
    sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Step 4: Obtain the Wildcard SSL Certificate

With Certbot installed and the Cloudflare API token in place, you’re ready to request a wildcard certificate. Use the --dns-cloudflare plugin to authenticate via the Cloudflare API and complete the DNS-01 challenge.

Run the following command, replacing yourdomain.com with your actual domain:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d '*.yourdomain.com' -d 'yourdomain.com'

If you get an error saying

 * Property "dns_cloudflare_email" not found (should be email address associated with Cloudflare account).
 * Property "dns_cloudflare_api_key" not found (should be API key for Cloudflare account, obtained from https://dash.cloudflare.com/profile/api-tokens).

Visit https://dash.cloudflare.com/profile/api-tokens, get your Global API key and account email from here and change the contents of the file cloudflare.ini to following

dns_cloudflare_email = your@email.here
dns_cloudflare_api_key = your_global_api_key_here

Explanation of the command:

  • -dns-cloudflare: Tells Certbot to use the Cloudflare DNS plugin for validation.
  • -dns-cloudflare-credentials: Specifies the path to the cloudflare.ini file.
  • d '*.yourdomain.com' -d 'yourdomain.com': Requests the certificate for both the primary domain and all subdomains.

Certbot will:

  1. Use the Cloudflare API token to create a temporary DNS TXT record for verification.
  2. Obtain the wildcard SSL certificate from Let’s Encrypt.
  3. Store the certificate files in /etc/letsencrypt/live/yourdomain.com/.

Step 5: Verify Certificate Installation and Set Up Renewal

To confirm that Certbot has correctly installed the certificate:

  1. Locate your certificate files: Certbot saves certificates in /etc/letsencrypt/live/yourdomain.com/. Files include fullchain.pem (the certificate) and privkey.pem (the private key).

  2. Configure your web server: Update your server’s configuration (e.g., Nginx or Apache) to use the new certificate files. For example, with Nginx:

    server {
    listen 443 ssl;
    server_name yourdomain.com *.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
}

  3. Restart your server to apply changes:

    sudo systemctl restart nginx

Step 6: Automate Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, so it’s essential to set up automatic renewals.

  1. Test the renewal process to ensure it works correctly:

    sudo certbot renew --dry-run

  2. Set up a cron job for daily renewal checks:

    • Open your root crontab:

      sudo crontab -e

    • Add a line to check for renewal daily at 2 AM:

      0 2 * * * /usr/bin/certbot renew --quiet

The --quiet flag runs the command silently, which is ideal for cron jobs.

Conclusion

Using wildcard SSL certificates along with Certbot and Cloudflare API reduces the time and adds to the security measures needed. Through a restricted API token, the actual permissions must be limited only to be able to make DNS updates. Self-Dedicated is structured in a manner that makes it suitable for developers, bloggers, and businesses who need an easy SSL installation for several subdomains under one domain certificate. Certbot, in conjunction with Cloudflare’s API, is a practical, comprehensible SSL implementation and grows as your site expands but remains safe.

Comments

Leave a comment.

Share your thoughts or ask a question to be added in the loop.