certbot can be used alongside Cloudflare for the purpose of verifying domains by using DNS TXT records as markers. The advantage is that no ports have to be opened such that the validation can be performed well-behind a firewall and only requires that certbot is able to connect outside the network. Similarly, if there are multiple proxies on the network and there exists a complicated routing setup, using DNS authentication will make it such that the proxies will not conflict with each other.
First, the cloudflare DNS plugin for certbot has to be installed:
apt install python3-certbot-dns-cloudflare
Next, the following example /etc/letsencrypt/cli.ini file should update a domain domain.tld using Cloudflare DNS:
# Set email and domains. email = office@domain.tld domains = domain.tld,www.domain.tld,... dns-cloudflare dns-cloudflare-credentials = /etc/letsencrypt/cloudflare.ini dns-cloudflare-propagation-seconds=60
where:
domains is set to a comma separated list of domains for which the wildcard domain has to be valid,dns-cloudflare-credentials points to a file containing cloudflare credentials as per the Cloudflare DNS plugin for certbot documentation