Also, because Certbot can be used to manage Let’s Encrypt certificates for domain names hosted elsewhere, there is no requirement for the system running Certbot to have a web server like Apache/httpd running (for domain verification purposes).
In this case, (Certbot) domain verification is handled by DNS records managed by qualified third party DNS providers. One such provider is, of course, the ever-popular Cloudflare service. If, like gidblog.com, your web site is also protected and served by Cloudflare, this information is relevant to you.
Check if your DNS provider supports Certbot here.
So, to get a new (or renew a) Let’s Encrypt SSL/TLS certificate for your web site, you’ll need to do 3 tasks:
- Install Certbot
- Create a credentials file for your DNS provider
- Run a Certbot command
This what I did myself to accomplish these 3 tasks, and I have just replaced “gidblog.com” with “example.com” in the notes below.
1. Install Certbot on CentOS 7
Before proceeding, please ensure that you enable the EPEL (Extra Packages for Enterprise Linux) repository on your CentOS 7 server. Then…
In a terminal (as root):
yum install certbot python2-certbot-dns-cloudflare
2. Create a credentials file for Cloudflare
Next, you need to prepare a credentials file, e.g. credentials.ini, that will allow Certbot access to the Cloudflare API using your private data in the file. Let’s create this credentials file now. Again, in a terminal (as root):
mkdir $HOME/.secret $HOME/.secret/cf vi $HOME/.secret/cf/credentials.ini
# Cloudflare API credentials used by Certbot # dns_cloudflare_email = [email protected] dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
After saving and closing the credentials file, let’s modify the permissions of the file so no one else can access/read it. In the same terminal (as root):
chmod 600 $HOME/.secret/cf/credentials.ini
3. Run Certbot command to create certificate
To create a Let’s Encrypt SSL/TLS certificate for domain names: example.com and www.example.com. In a terminal (as root):
certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials $HOME/.secret/cf/credentials.ini \ -d example.com \ -d www.example.com
If everything goes as planned, the final output from this command will look something like this:
– Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-02-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew”