knktc's Notes

python, cloud, linux...

Language 查看中文版本
0%

Automating HTTPS certificates with Certbot on Ubuntu, Cloudflare, and Nginx

Posted on Edited on
A practical walkthrough for issuing and renewing Let's Encrypt certificates on Ubuntu with Certbot, Cloudflare DNS, and Nginx.

There is already plenty of documentation online for generating Let’s Encrypt certificates with Certbot, but I still wanted to keep my own notes here for future reference.

In this setup, the operating system is Ubuntu 20.04, DNS is managed with Cloudflare, and Nginx is used as the web server.

Following the steps below is enough to get it working.

Install Certbot

You can install it with the following commands. In some environments, snap install can be slow and may need to be retried once or twice:

1
2
3
4
apt install snapd
snap install core
snap refresh core
snap install --classic certbot

After installation, run certbot --version. If it prints a version number, the installation is successful.

Install the Cloudflare plugin

To renew certificates automatically, you also need the plugin for your DNS provider. Since I use Cloudflare for DNS, I installed the Cloudflare plugin like this:

1
2
3
snap set certbot trust-plugin-with-root=ok

snap install certbot-dns-cloudflare

Create a Cloudflare API token

To use the Cloudflare plugin, first log in to Cloudflare and create an API token that is only allowed to manage DNS records.

You can create it here after signing in:

https://dash.cloudflare.com/profile/api-tokens

Once the token is created, save it somewhere safe and then create the Certbot credentials file:

1
2
3
mkdir -p ~/.secrets/certbot

vim ~/.secrets/certbot/cloudflare.ini

The file should contain:

1
dns_cloudflare_api_token = YOUR_API_TOKEN

After saving it, tighten the file permissions. Otherwise Certbot will warn that the credentials file is insecure:

1
chmod 600 ~/.secrets/certbot/cloudflare.ini

Request the certificate

Now you can generate the certificate Nginx will use:

1
2
3
4
5
certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d knktc.com

Note the use of --dns-cloudflare-propagation-seconds 60. I increased the wait time to 60 seconds because the default 10 seconds sometimes caused validation failures.

The issued certificate and private key will be placed under:

/etc/letsencrypt/live/YOUR_HOST/

For reference, here is a related Nginx configuration snippet:

1
2
3
4
5
6
7
8
9
listen 443 ssl http2;
server_name knktc.com;
ssl_certificate /etc/letsencrypt/live/knktc.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/knktc.com/privkey.pem; # managed by Certbot

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         HIGH:!aNULL:!MD5;
keepalive_timeout   70;
ssl_session_timeout  5m;

Scheduled renewal

You can verify whether Certbot’s scheduled renewal task has been added successfully with:

1
systemctl list-timers

If you want Nginx to reload automatically whenever a new certificate is issued, add a renewal hook script:

1
vim /etc/letsencrypt/renewal-hooks/post/reload-nginx

Put the following into the file:

1
2
3
#!/bin/sh

systemctl reload nginx

Then make it executable:

1
chmod +x /etc/letsencrypt/renewal-hooks/post/reload-nginx

With that in place, Nginx will automatically reload after every successful certificate renewal.

如果我的文字帮到了您,那么可不可以请我喝罐可乐?