Letsencrypt SSL Certs: Difference between revisions
Wikisailor (talk | contribs) |
Wikisailor (talk | contribs) |
||
| Line 23: | Line 23: | ||
To get the Cloudflare API Token, we need to head into the Cloudflare dashboard. Since we have both .net and .uk domains, we can actually handle them with a single command or separate ones depending on whether we want one "combined" certificate or two distinct ones. in our case we will get two separate keys | To get the Cloudflare API Token, we need to head into the Cloudflare dashboard. Since we have both .net and .uk domains, we can actually handle them with a single command or separate ones depending on whether we want one "combined" certificate or two distinct ones. in our case we will get two separate keys | ||
* | * Log in to your [https://dash.cloudflare.com/| Cloudflare Dashboard]. | ||
* Click on the User Profile icon (top right) and select My Profile. | |||
* Click API Tokens in the left sidebar. | |||
* Click Create Token. | |||
* Find the template "Edit zone DNS" and click Use template. | |||
* Permissions: Ensure it says Zone - DNS - Edit (and optionally Zone - Zone - Read). | |||
* Zone Resources: * If you want one token for both domains, select Include - All zones. | |||
** If you want to be extra secure, select Include - Specific zone and add both seaoffate.net and seaoffate.uk. | |||
* Click Continue to summary and then Create Token. | |||
* Copy the token immediately! Cloudflare won't show it to you again. | |||
====🔑 Phase 3: The Cloudflare Plugin & Secret==== | ====🔑 Phase 3: The Cloudflare Plugin & Secret==== | ||
Revision as of 12:01, 16 February 2026
Introduction
We chose to use Letsencrypt SSL certificates in addition to the Cloudflare origin certs because we occasionally need to serve SSL websites and services directly and while the cloudflare origin certs work well and are easy to setup, they are not publicly recognised. To set up the ACME LetsEncrypt service (specifically using acme.sh) on Raisin' with Cloudflare DNS, we will want to use a wildcard cert so that we don't have to keep on adding to a growing list of domain names
Installation
To set up the certbot Let's Encrypt service specifically using cert bot on the reverse proxy, Raisin, with Cloudflare DNS. Since we are using a wildcard, the DNS-01 challenge is the only way to go, and using the Cloudflare API makes it completely automated. The reason for choosing Raisin for the cert download is that it will nearly always need to be used on Raisin as it is the host that Pfsense directs all https traffic to.
Install certbot
This setup ensures we get our wildcard certificates without needing a webserver to be reachable from the internet, keeping our security tight.
🏛️ Phase 1: Clean Up & Core Install
Ubuntu 24.04 (Noble) likes its packages to be "clean." Mixing apt and snap is the most common way to break SSL renewals. To purge any old apt versions:
sudo apt-get remove certbot
Install the Snap core (the "engine" for snaps)
sudo snap install core; sudo snap refresh core
Create the Symlink: (This ensures when we type certbot, the system actually finds the snap version.)
sudo ln -s /snap/bin/certbot /usr/bin/certbot
🔑Cloudflare API Token
To get the Cloudflare API Token, we need to head into the Cloudflare dashboard. Since we have both .net and .uk domains, we can actually handle them with a single command or separate ones depending on whether we want one "combined" certificate or two distinct ones. in our case we will get two separate keys
- Log in to your Cloudflare Dashboard.
- Click on the User Profile icon (top right) and select My Profile.
- Click API Tokens in the left sidebar.
- Click Create Token.
- Find the template "Edit zone DNS" and click Use template.
- Permissions: Ensure it says Zone - DNS - Edit (and optionally Zone - Zone - Read).
- Zone Resources: * If you want one token for both domains, select Include - All zones.
- If you want to be extra secure, select Include - Specific zone and add both seaoffate.net and seaoffate.uk.
- Click Continue to summary and then Create Token.
- Copy the token immediately! Cloudflare won't show it to you again.
🔑 Phase 3: The Cloudflare Plugin & Secret
Since we want *.seaoffate.net, Certbot needs to "talk" to Cloudflare to create a temporary TXT record. To Authorize the plugin
sudo snap set certbot trust-plugin-with-root=ok
Install the Cloudflare DNS plugin
sudo snap install certbot-dns-cloudflare
Create the Credentials File It's best practice to keep this in the /etc/letsencrypt directory, note we also have a cert for the .uk
sudo mkdir -p /etc/letsencrypt/cloudflare sudo nano /etc/letsencrypt/cloudflare/cloudflare_net.ini
Add your API Token Note: Use a Token, not your Global Key. It only needs "Zone:DNS:Edit" permissions. we repeat this step to get the .uk key
dns_cloudflare_api_token = 0123456789abcdefyourtokenhere
Then the same for the .uk key
sudo nano /etc/letsencrypt/cloudflare/cloudflare_uk.ini
and copy the other key for the .uk domain
dns_cloudflare_api_token = 0123456789abcdefyourtokenhere
Lock down the files (Safety First!)
sudo chmod 600 /etc/letsencrypt/cloudflare/cloudflare_net.ini sudo chmod 600 /etc/letsencrypt/cloudflare/cloudflare_uk.ini
🚀 Phase 3: Getting the First Certificate
Now we run the big command. This generates the cert and registers the Deploy Hook (so Nginx reloads itself every 60 days). We have chosen to keep the two separate files so we run the command twice. Certbot is smart enough to create two separate renewal profiles in /etc/letsencrypt/renewal/
sudo certbot certonly --dns-cloudflare \ --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare_net.ini \ --dns-cloudflare-propagation-seconds 60 \ --deploy-hook "systemctl reload nginx" \ --cert-name seaoffate.net \ -d seaoffate.net -d "*.seaoffate.net"
sudo certbot certonly --dns-cloudflare \ --dns-cloudflare-credentials /etc/letsencrypt/cloudflare/cloudflare_uk.ini \ --dns-cloudflare-propagation-seconds 60 \ --deploy-hook "systemctl reload nginx" \ --cert-name seaoffate.uk \ -d seaoffate.uk -d "*.seaoffate.uk"
