Certbot with DNS Cloudflare Plugin on Rocky 9/CentOS 9

The Cloudflare DNS plugin automates the process of completing a dns-01 challenge by creating and subsequently removing TXT records using the Cloudflare API.

The Goal

We want to be able to generate wildcard TLS certificates (e.g. *.example.com) using Certbot and DNS Cloudflare plugin.


Use of certbot-dns-cloudflare plugin requires a configuration file containing Cloudflare API credentials, obtained from your Cloudflare dashboard.


Install snapd

$ sudo yum install epel-release
$ sudo yum install snapd
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap

Install Certbot

$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
$ sudo snap set certbot trust-plugin-with-root=ok

Install Cloudflare DNS Plugin

$ sudo snap install certbot-dns-cloudflare

Set up Cloudflare Credentials

Log into Cloudflare dashboard and obtain your API token. Save it inside the file /root/.cloudflare.ini.

$ sudo cat /root/.cloudflare.ini
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

Get a Wildcard Certificate

Acquire a wildcard certificate for *.example.com, waiting 60 seconds for DNS propagation.

$ sudo certbot certonly \
  --email [email protected] \
  --agree-tos \
  --no-eff-email \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.cloudflare.ini \
  --dns-cloudflare-propagation-seconds 60 \
  -d "example.com" \
  -d "*.example.com"



Leave a Reply

Your email address will not be published. Required fields are marked *