How I create my wildcard certificates using certbot

When I’m not using traefik to automagically manage my Let’s Encrypt certificates, this is my preferred way to create Let’s Encrypt wildcard certificates. I use the certbot cloudflare plugin in order to perform the DNS-01 challenge which is required in order to obtain the certificate.

First, I create the script in /etc/letsencrypt/

sudo certbot certonly -d,* --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare-mydomain.ini --preferred-challenges dns-01

and, if not already present, I also create the credentials file /etc/letsencrypt/cloudflare-mydomain.ini (replace the credentials by your cloudflare email and API key):

dns_cloudflare_email = ""
dns_cloudflare_api_key = "f4a800573c41858be35aaead4e73d741"

After that, you only have to run the script once:

bash /etc/letsencrypt/

If the process succeeds, your certificate will be in /etc/letsencrypt/live/ However you need to ensure to regularly run certbot renew in order to renew the certificates which are only valid for 3 months.

In our previous post How to automatically renew Let’s Encrypt certbot certs on Ubuntu we provide a simple solution to install a system service to automatically renew the certificates daily. It’s extremely easy to install using just a single command to install the systemd service.