Why switch from HTTP-01 challenge to DNS-01 challenge?
I needed to change the challenge to fix a know issue while proxying the website via Cloudflare as part of my blog improvements.
Please refer the link above for more details, if you are in a hurry here’s the gist about the issue.
When you use Cloudflare to proxy the website and use Letsencrypt for generating the certificates, the certbot by default will use
http-01 challenege and it will fail because of the IP difference between your Cloudflare proxied IP and the actual host machine IP.
To fix this, we need to switch to
dns-01 challenge, so letsencrypt certbot can create and verify DNS records and authenticate the challenge.
Switching from HTTP-01 to DNS-01 challenge
Follow the below steps to make the challenge switch.
The below commands are specific to my virtual machine running Ubuntu 18.04 with Nginx and letsencryptt certbot for nginx and logged in as a non root user with sudo privilages.
Please make the necessary tweaks based on your setup as required.
Creating the Cloudflare secrets file
Letsencrypt certbot needs the Cloudflare API token to create the necessary DNS records to perform the necessary validation. First you need to copy the Cloudflare API secret token.
Copy your secrets from your Cloudflare account
Login to your Cloudflare account profile API section in the below link.
- Click on the Create Token button and select Create Custom Token to get started.
- Enter a name for the token, say
Yourdomain Letsencrypt token.
- Under Permissions, select Zone and create,
- Under Zone Resources, select Include,
All Zones from an account, this is required by Letsencrypt.
- Then proceed to view the summary and save the token, copy it and keep it safe.
Create a secrets file in your machine
In your machine, create a secrets file (.ini) called
cloudflare.ini in this location
~/.secrets/certbot/cloudflare.ini and paste your token from the previous step in the below format.
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
Installing the certbot-dns-cloudflare plugin as root user
Before you configure the certbot to use
DNS-01 challenge, you need to first install the
certbot-cloudflare-dns plugin as root user.
Switch to root user by using the below command
certbot-cloudflare-dns using pip.
pip install certbot-dns-cloudflare
Exit from su and switch to the non root user with sudo privilages.
Configuring certbot to use the DNS-01 challenge
Copy the below command and edit the path to your secrets file and change
raghuspeaks.com to your own domain and add all the domains for which you want to switch to the DNS-01 challenge using the
-d attribute as shown below.
sudo certbot certonly \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d raghuspeaks.com \
--dns-cloudflare attribute is to let know certbot which authentication mechanism to use and
--dns-cloudflare-credentials is used to provide the cloudflare secrets file and the
--dns-cloudflare-propagation-seconds is used to instruct certbot to wait for 60 seconds for the DNS records to propogate.
That’s it! Your Letsencrypt certbot has been switched from
http-01 challenge to
dns-01 challenge and your certificates will be auto-renewed, irrespective of your cloudflare proxy status.