Automatically Renew Let’s Encrypt SSL Certificates with Certbot and Cloudflare on AWS EC2
This tutorial will guide you through setting up automatic SSL certificate renewal using Let’s Encrypt, Certbot, and Cloudflare DNS verification on an AWS EC2 instance. We’ll use pierrehenry as the sample domain. Simply replace it with your own domain throughout the tutorial.
Prerequisites
First, we need to install Certbot and the Cloudflare and Nginx plugins:
In your terminal, install the needed packages:
sudo apt update
sudo apt install -y certbot python3-certbot-nginx python3-certbot-dns-cloudflare
Once this is done, you should see the list of installed plugins with certbot plugins command in your terminal.
Create Cloudflare API Token
- Sign in to your Cloudflare account dashboard
- Go to My Profile and select API Tokens
- Click Create Token and choose the Edit zone DNS template
- Configure the following permissions:
- Zone > DNS > Edit
- Zone > Zone > Read
- Specify your domain under Zone Resources
- Generate the token and copy it for later use
Note: We’ll use API Tokens instead of Global API Keys as they’re more secure and provide more granular permissions and are easier to revoke as well.
Configure Cloudflare Credentials
Create the credentials directory and file with proper permissions:
mkdir -p ~/.secrets/certbot
touch ~/.secrets/certbot/cloudflare.ini
chmod 700 ~/.secrets/certbot
Add your Cloudflare credentials to ~/.secrets/certbot/cloudflare.ini:
# Cloudflare API credentials used by Certbot
# Not Recommended One: Credentials using Global API Key #
#dns_cloudflare_email = "your-email@example.com"
#dns_cloudflare_api_key
# Recommended one: Using restricted API Token #
dns_cloudflare_api_token = "your-cloudflare-token"
Set secure UNIX permissions to the credentials file:
chmod 600 ~/.secrets/certbot/cloudflare.ini
Request the Wildcard Certificate
Run the following command to obtain your certificate. Don’t forget to replace pierrehenry.dev with your own domain):
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
-d "*.pierrehenry.dev" \
-d "pierrehenry.dev" \
--cert-name wildcard-app-pierrehenry
Configure Nginx
Update your Nginx configuration in /etc/nginx/sites-enabled/pierrehenry.conf:
# Redirect HTTP to HTTPS
server {
listen 80;
server_name *.pierrehenry.dev pierrehenry.dev;
return 301 https://$host$request_uri;
}
# HTTPS configuration
server {
listen 443 ssl http2;
server_name *.pierrehenry.dev pierrehenry.dev;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/wildcard-app-pierrehenry/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wildcard-app-pierrehenry/privkey.pem;
# SSL security settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
# HSTS (uncomment if you're sure)
# add_header Strict-Transport-Security "max-age=31536000" always;
# Other configurations...
}
Test and reload Nginx:
sudo nginx -t
sudo systemctl reload nginx # Dont forget to restart!
Verify Automatic Renewal
Test the renewal process:
sudo certbot renew --dry-run
Check the renewal timer:
systemctl list-timers certbot.timer
By default, Certbot will attempt renewal twice daily when certificates are due for renewal (within 30 days of expiration). You can verify the renewal configuration in /etc/letsencrypt/renewal/wildcard-app-pierrehenry.conf.
Manual Renewal (without dns-cloudflare plugin)
If, for whatever reason, you need to go with the manual renewal process, you will need to add a TXT DNS record → Zone > DNS > Add, and add the _acme-challenge name with the given value from your shell output.
sudo certbot certonly --manual --preferred-challenges=dns -d "*.pierrehenry.dev" -d "pierrehenry.dev" --cert-name wildcard-app-pierrehenry
Troubleshooting
If you encounter issues:
- Check the Certbot logs:
sudo journalctl -u certbot.service - Verify Cloudflare API token permissions
- Ensure the credentials file has correct permissions
- Check Nginx error logs:
sudo tail -f /var/log/nginx/error.log
Resources
- https://www.timatlee.com/post/certbot_dns_challenge_with_apache_and_cloudflare/
- https://developers.cloudflare.com/fundamentals/api/get-started/create-token/
- https://certbot.eff.org/docs/using.html#dns-plugins
🏁 Follow my Software Engineering Journey on PierreHenry.Dev
Top comments (0)