Renewing Certificates with Cloudflare DNS

certbot can be used alongside Cloudflare for the purpose of verifying domains by using DNS TXT records as markers. The advantage is that no ports have to be opened such that the validation can be performed well-behind a firewall and only requires that certbot is able to connect outside the network. Similarly, if there are multiple proxies on the network and there exists a complicated routing setup, using DNS authentication will make it such that the proxies will not conflict with each other.

First, the cloudflare DNS plugin for certbot has to be installed:

apt install python3-certbot-dns-cloudflare

Next, the following example /etc/letsencrypt/cli.ini file should update a domain domain.tld using Cloudflare DNS:

# Set email and domains.
email = office@domain.tld
domains = domain.tld,www.domain.tld,...

dns-cloudflare
dns-cloudflare-credentials = /etc/letsencrypt/cloudflare.ini
dns-cloudflare-propagation-seconds=60

where: