A couple of days ago, I received an email from the Let’s Encrypt and was told the certificate of my domain will expire soon. This domain has been encrypted by certbot and the automatic renewal worked well at that time. About one month ago, I added it to cloudflare CDN. It may hindered the certificate renew.
So I spent some time to fix the problem.
The OS for the server is Debian 10/buster and nginx HTTP server was installed. It has been encrypted by certbot as suggested:
# Install certbot
For the Cloudflare, this domain was configured as:
- TTL: Auto
- Proxy status: Proxied (Orange icon)
- Modify nameservers to Cloudflare nameservers
- Full (strict): Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server
When I run
certbot renew --dry-run, there were error message mentioned DNS stuff.
sudo apt install python3-cloudflare python3-certbot-dns-cloudflare
sudo mkdir /etc/cloudflare
According to the version of python3-cloudflare, the content of credential.ini is different:
- Version 2.3.1 or later
Use cloudflare restricted API Token (recommended)
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
- Version earlier than 2.3.1
Use GLobal API Key (NOT recommended)
dns_cloudflare_email = [email protected]
sudo chmod 0600 /etc/cloudflare/credential.ini
Since the encryption already configured, here generate new certificate only:
sudo certbot certonly \
sudo certbot renew --dry-run
Now, the auto renew is OK.