CentOS 7: use certbot to register SSL certificate for multiple domains with Cloudflare


Install certbot

Step 1-5: CentOS 7: install certbot to register wildcard SSL certificate

Using certbot to register SSL certificate for multiple domains

Step 6: Confirm plugin containment level

sudo snap set certbot trust-plugin-with-root=ok

Step 7: Install correct DNS plugin for Cloudflare

sudo snap install certbot-dns-cloudflare

Result:

[root@tutorialspots ~]# sudo snap set certbot trust-plugin-with-root=ok
[root@tutorialspots ~]# sudo snap install certbot-dns-cloudflare
certbot-dns-cloudflare 1.28.0 from Certbot Project (certbot-eff✓) installed

Step 8: Set up credentials

Create file ~/.secrets/certbot/cloudflare.ini with content:

dns_cloudflare_email = youremail@gmail.com
dns_cloudflare_api_key = f6438adcdxxxxxxxxxxxxxxxxfef7f3

By some commands:

mkdir ~/.secrets
mkdir ~/.secrets/certbot
echo -e "dns_cloudflare_email = youremail@gmail.com\ndns_cloudflare_api_key = f6438adcdxxxxxxxxxxxxxxxxfef7f3" > ~/.secrets/certbot/cloudflare.ini

chmod 600 for this file

chmod 0600 ~/.secrets/certbot/cloudflare.ini

Step 9: register SSL certificate for multiple domains

certbot certonly \
  --agree-tos \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 30\
  -d domain1.com -d domain2.com  -d domain3.com  -d domain4.com

Result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for domain1.com and 9 more domains
Unsafe permissions on credentials configuration file: /root/.secrets/certbot/cloudflare.ini
Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain1.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/domain1.com/privkey.pem
This certificate expires on 2022-09-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To renew or expand certificate:

certbot certonly \
  --agree-tos \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 30\
  -d domain1.com -d domain2.com  -d domain3.com  -d domain4.com -d \*.domain1.com

Result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/domain1.com.conf)

It contains these names: domain1.com, domain2.com, domain3.com,
domain4.com

You requested these names for the new certificate: domain1.com, domain2.com, domain3.com,
domain4.com, *.domain1.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for domain1.com and 14 more domains
Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain1.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/domain1.com/privkey.pem
This certificate expires on 2022-09-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Leave a Reply