Implementing Wildcard SSL Certificates using Certbot and Cloudflare
A wildcard SSL certificate is a certificate that is valid for all subdomains on your domain (i.e., example.com, wiki.example.com, files.example.com). If you use Cloudflare for your DNS, you can get a wildcard SSL certificate easily with Certbot. Certbot will use the Cloudflare DNS plugin to create, validate, and then remove a TXT record via Cloudflare’s API. This process proves that you own the domain and are authorized to obtain an SSL certificate for it.
Step 1; Install Certbot
apt install python3-certbot-dns-cloudflare
Configure Cloudflare Credentials
You will need the email address associated with your Cloudflare account, and your Cloudflare Global API Key.
Make a folder for confidential files
Store your credentials securely in the secrets file
The file should contain the following:
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = yourapikey
Save the file (Control + X, press ‘Y’ to Save, and press Enter).
Protect the file containing confidential information
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini
Get your Certificates
Once you have completed the Certbot installation. You will be obtaining your certificates from LetsEncrypt usong the following comand on one line.
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01
Remember to replace "example.com" with your actual domain
Your certificates will be saved to
Keep the certificates in this folder!.
Certbot has a renewal script that executes twice daily and renews certificates automatically if they will expire in the next 30 days.
You can verify this script is running by using
sudo systemctl status certbot.timer.