Skip to main content
WebsiteGitHub last commitGitHub commit activityGitHub IssuesDocker PullsDiscordLocalized

Securing Your Site with Let's Encrypt SSL Using Certbot and Cloudflare on Ubuntu

Enhance the security of your website hosted on an Ubuntu server by using Certbot to issue and manage Let's Encrypt SSL certificates. This tutorial guides you through the installation of Certbot and its plugins for Nginx and Cloudflare, followed by configuring Certbot to automatically verify domain ownership through Cloudflare.

Prerequisites​

  • An Ubuntu server (18.04, 20.04, or later).
  • Nginx installed and configuring at least one domain.
  • A Cloudflare account managing the DNS for your domain.

Step 1: Install Certbot and Plugins​

Update Package Index​

Ensure your Ubuntu package list is up-to-date:

sudo apt update

Install Certbot and the Nginx Plugin​

Install Certbot and its Nginx plugin using apt:

sudo apt install certbot python3-certbot-nginx -y

Install the Cloudflare DNS Plugin​

Install the Certbot Cloudflare DNS plugin to use DNS records hosted by Cloudflare for domain verification:

sudo apt install python3-certbot-dns-cloudflare -y

Step 2: Configuring Cloudflare API Credentials​

Certbot needs permission to access your Cloudflare account to create DNS records for domain verification.

  1. Create an API Token in your Cloudflare account under the "API Tokens" section of the "My Profile" page:

    • Select "Create Token".
    • Use the "Edit zone DNS" template as a starting point.
    • Add all zones from your account or specify zones to include.
    • Set permissions to "Zone - DNS - Edit".
    • Name your token and create it.

  2. Create a Configuration File for your Cloudflare credentials on your server:

sudo mkdir /etc/letsencrypt
sudo nano /etc/letsencrypt/.cloudflare.ini
  1. Add the following content, replacing your_api_token with your actual Cloudflare API token:
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = your_api_token
  1. Secure the Credentials File by changing its permissions:
sudo chmod 600 /etc/letsencrypt/.cloudflare.ini

Step 3: Obtain an SSL Certificate​

Run Certbot with the Cloudflare DNS plugin to obtain your certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/.cloudflare.ini -d yourdomain.com -d *.yourdomain.com --preferred-challenges dns-01 --dns-cloudflare-propagation-seconds 60

Replace yourdomain.com with your actual domain. You can specify multiple domains and subdomains by adding additional -d parameters.

Understanding Wildcard Certificates​

By including *.yourdomain.com in the command above, you are creating a wildcard certificate. Here's how wildcard certificates differ from standard certificates:

Wildcard Certificate (*.yourdomain.com):

  • Secures your main domain AND all first-level subdomains with a single certificate
  • Example: One cert covers cloud.yourdomain.com, jellyfin.yourdomain.com, portainer.yourdomain.com, etc.
  • Benefit: Add new subdomains without requesting new certificates
  • Limitation: Only covers one level (won't cover sub.sub.yourdomain.com)

Standard Certificate:

  • Must explicitly list each subdomain you want to secure
  • Example: -d yourdomain.com -d cloud.yourdomain.com -d jellyfin.yourdomain.com
  • Benefit: More granular control over which subdomains are secured
  • Limitation: Need to request a new certificate when adding subdomains

For most users managing multiple services across subdomains, a wildcard certificate is the recommended choice for simplicity and flexibility.

Follow the interactive Certbot instructions. If successful, your certificate and keys will be stored in /etc/letsencrypt/live/yourdomain.com/.

Step 4: Configuring Nginx to Use the SSL Certificate​

Edit your domain's Nginx configuration file:

note

Example nginx configs can be found here

sudo nano /etc/nginx/sites-available/yoursite.conf

Ensure there is a server block for HTTPS configured to use the SSL certificate and key:

server {
    listen 443 ssl;
    server_name sub.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # Additional SSL settings...
}

Change *.conf to the name of your .conf file you just created.

sudo ln -s /etc/nginx/sites-available/*.conf /etc/nginx/sites-enabled/

Reload Nginx to apply the changes:

sudo systemctl reload nginx

Step 6: Setting Up Automatic Renewal​

Let’s Encrypt certificates are valid for 90 days. To automate the renewal, Certbot installs a systemd timer. Verify automatic renewal:

sudo certbot renew --dry-run

If the test is successful, Certbot will renew your certificates automatically.

Conclusion​

You've successfully secured your website served by Nginx on Ubuntu using an SSL certificate issued by Let's Encrypt, verified through Cloudflare. This setup not only enhances your site's security but also automates the renewal process, ensuring uninterrupted HTTPS service.

Buy me a beer

Changelog

docs: add explanation of wildcard certificates in Certbot installation guide
Fix relative path traversal errors for Examples/Nginx links
Convert internal documentation links from absolute to relative paths

πŸ’¬ Discord Community Chat

Join the conversation! Comments here sync with our Discord community.

πŸ’¬ Recent Comments

Loading comments...