How to Implement Wildcard SSL Certificates using Certbot behind Cloudflare

A wildcard SSL certificate is a certificate that is valid for all subdomains on your domain (i.e., example.com, wiki.example.com, files.example.com). If you use Cloudflare for your DNS, you can get a wildcard SSL certificate easily with Certbot. Certbot will use the Cloudflare DNS plugin to create, validate, and then remove a TXT record via Cloudflare’s API. This process proves that you own the domain and are authorized to obtain an SSL certificate for it.

Step 1; Install Certbot

apt install python3-certbot-dns-cloudflare

Configure Cloudflare Credentials

You will need the email address associated with your Cloudflare account, and your Cloudflare Global API Key.

Make a folder for confidential files

mkdir /root/.secrets/ touch /root/.secrets/cloudflare.ini

Store your credentials securely in the secrets file

nano /root/.secrets/cloudflare.ini

The file should contain the following:

Save the file (Control + X, press ‘Y’ to Save, and press Enter).

Protect the file containing confidential information

sudo chmod 0700 /root/.secrets/

sudo chmod 0400 /root/.secrets/cloudflare.ini

Get your Certificates

Once you have completed the Certbot installation. You will be obtaining your certificates from LetsEncrypt usong the following comand on one line.

Remember to replace "example.com" with your actual domain

Your certificates will be saved to /etc/letsencrypt/live/example.com/.

Keep the certificates in this folder!.

Renewal

Certbot has a renewal script that executes twice daily and renews certificates automatically if they will expire in the next 30 days.
 You can verify this script is running by using

sudo systemctl status certbot.timer.