Renew Let’s Encrypt Certificate using Cloudflare as a CDN

7 Min. Read

If you are running a website by using the nonprofit Certificate Authority (Let’s Encrypt) certificate, then you’re probably aware that you need to renew the certificate every 90 days, and you could also automate the renewing process every 60 days or so before the expiration date. Let’s Encrypt is a global Certificate Authority (CA) that lets people and organizations around the world obtain, renew, and manage SSL/TLS certificates.

When you want to renew, obtain or validate a Let’s Encrypt Certificate for a website behind Cloudflare, you’re likely going to run into connection and validation issues. This article will demonstrate how to successfully generate and renew Let’s Encrypt Certificate for a website that is using Cloudflare as a CDN.

Introduction

When you use Cloudflare, there are two parts to encrypt your website as shown in the figure below:

1) From the user’s browser to Cloudflare
2) From Cloudflare to your server

End-to-end encryption with Cloudflare
End-to-end encryption with Cloudflare

This means that you need two certificates for full encryption. Cloudflare automatically provides you with the first one. This is the one that a user sees if they check the URL padlock on your site.

Please note that if you secure one channel but not the other you reduce the attack surface but the setup is still vulnerable. Your website traffic is still flowing in plain text, be it between a browser and Cloudflare servers or Cloudflare servers and your origin server.

It’s just a matter of time, effort, and luck before someone intentionally or accidentally steals, hijacks impersonates, sniffs, eavesdrops, or man-in-the-middles.

Thus, you need to ensure the correct SSL mode is set in Cloudflare. There are multiple modes. In this example, we are using Full (strict) Encrypts end-to-end, but require a trusted CA (E.g Let’s Encrypt) or Cloudflare Origin CA certificate on the server. Along with that, you’d have to Disable Universal SSL. Since you’re not using the Cloudflare Universal SSL anymore and instead utilizing the SSLs stored on your server.

Now when you attempt to validate and renew your certificate, the Let’s Encrypt client by default utilizes the Domain Validation using Server Name Indication (DVSNI) method which is used for Automatic Certificate Management Environment (ACME) authentication.

The challenge with this method is, if you have a domain that has Cloudflare enabled, then the validation will fail because Cloudflare terminates SSL (TLS) at their edge and the ACME server will never see the certificate the client presents at the origin server.

To overcome this issue and complete the validation successfully when Cloudflare is enabled, there are a couple of options that you could use such as:

> Disable temporarily Cloudflare to generate and renew Let’s Encrypt certificate.

> Use alternate ACME validation methods, such as DNS or HTTP. Because Transport Layer Security (TLS) – Application-Layer Protocol Negotiation (ALPN) is incompatible with CDNs like Cloudflare.

In this guide, we will use the latter option since we need to automate the entire process, and we don’t want to disable Cloudflare to generate or renew the certificate even for a short period of time.

Prerequisites

To follow this article, you need to have the following:

1) If you haven’t already, sign up for a Cloudflare account for free. Cloudflare is a Content Delivery Network (CDN) that delivers your website or app content to internet users located anywhere in the globe.

2) A WordPress instance running on a Linux machine using Apache or NGNIX.

3) A WordPress site up and running with the Lego client installed. The Lego client simplifies the process of Let’s Encrypt certificate generation. You could use the following commands to install the Lego client. Note that you will need to replace the X.Y.Z placeholder with the actual version number of the downloaded archive file for Lego. At the time of this writing, we are using version 4.5.3 for Lego. These steps will download, extract and copy the Lego client to a directory in your path.

cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
tar xf lego_vX.Y.Z_linux_amd64.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego

Assuming you have all the prerequisites in place, take now the following steps:

Create a Cloudflare API Key or Token

First, you need to create an API key that has ‘Read’ access to the zone of your domain and permission to ‘Edit’ DNS in Cloudflare. API Tokens use the standard Authorization: Bearer header for authentication instead of (x-auth-email) and (x-auth-key) that API Keys use.

To create your API Token go to the ‘API Tokens’ section of your user profile which can be found at: https://dash.cloudflare.com/profile/api-tokens

On this page, you will find both a list of all of your API Tokens in addition to your Global API Key and Origin CA Key. To create your first API Token, select ‘Create Token’ as shown in the figure below.

Create Token
Create Token

On the create page there are two ways to create your token. You can create it from scratch through the ‘Create Custom Token’ option or you can start with a predefined template by selecting ‘Use template’. For this case, we will use the ‘Edit zone DNS’ template to create an API Token that can edit a single zone’s DNS records.

Edit zone DNS template
Edit zone DNS template

Once the template is selected, you need to pick a zone for the API Token to be scoped to. In this case, ‘charbelnemnom.com’ is selected as the Cloudflare zone that the API Token will be able to edit DNS records for.

Notice that the DNS Edit permission was already pre-selected. Enter a Token descriptive name, then add one more permission by giving zone Read access as shown in the figure below.

For added security, specify IP addresses or ranges of IP addresses to filter. This filter limits the client IP addresses that can use the API token with Cloudflare. In this case, we limited the client IP to a single address (origin server). We have blur-boxed the value for obvious reasons.

Token permissions
Token permissions

Once you select ‘Continue to the summary‘, you’re given a chance to review the selection. In this case, the resources and permissions are quite simple, but this gives you a chance to make sure you are giving the API Token exactly the correct amount of privilege before creating it.

Token summary
Token summary

Once created, you are presented with the API Token. This screen is the only time you will be presented with the secret so be sure to put the secret in a safe place! Anyone with this secret can perform the granted actions on the resources specified so protect it like a password. In the below screenshot, we have black-boxed the secret for obvious reasons. If you happen to lose the secret, you can always regenerate it from the API Tokens table so you don’t have to configure all the permissions again.

Token verify
Token verify

In addition to the secret itself, this page provides an example curl request that can be used to verify that the token was successfully created as shown in the figure below. We have black-boxed the bearer for obvious reasons.

Verify Cloudflare API Token
Verify Cloudflare API Token

Renew and Generate a Let’s Encrypt Certificate

Now before we proceed with the renewal or generate a let’s encrypt certificate, we need to stop Apache or NGINX instances depending on your installation.

Generate a Let’s Encrypt Certificate

If you want to generate a new certificate for your domain, browse to the Lego installation directory and then run the following command.

Remember to update the CLOUDFLARE_DNS_API_TOKEN value, domain name, and email address with your own values.

sudo CLOUDFLARE_DNS_API_TOKEN=B1oc04NmI3s3T6gGI1JEmoKHN47yjGopUYiOfxKI lego --dns cloudflare --domains domain.com --email paul.peterson@live.com --path="/opt/bitnami/letsencrypt" run

Then make sure to start Apache or NGINX instances depending on your installation.

Renew the Let’s Encrypt Certificate

Let’s Encrypt certificates are only valid for 90 days. To renew the certificate before it expires, browse to the Lego installation directory and then run the following commands from the server console.

Remember to update the CLOUDFLARE_DNS_API_TOKEN value, domain name, and email address with your own values.

sudo CLOUDFLARE_DNS_API_TOKEN=B1oc04NmI3s3T6gGI1JEmoKHN47yjGopUYiOfxKI lego --dns cloudflare --domains domain.com --email paul.peterson@live.com --path="/opt/bitnami/letsencrypt" renew --days 90

If you received the following message, then the validation and requesting certificates are succeeded with Cloudflare enabled.

Renew Let’s Encrypt Certificate
Renew Let’s Encrypt Certificate

Then make sure to start Apache or NGINX instances depending on your installation.

You can check the URL padlock on your site to verify that Let’s Encrypt Certificate is renewed and generated successfully as shown in the figure below. Please note that to verify the SSL for a site with Cloudflare enabled, you need to do host manning locally in your DNS server by providing your origin server public IP address to bypass Cloudflare DNS.

Certificate Information
Certificate Information

Last but not least, to automatically renew your certificates before they expire, you need to write a script to perform the above tasks and schedule a cron job to run the script periodically (E.g every 60 days). Take the following steps:

Create a script at the following path, you can change the path based on your installation.

sudo mkdir -p /opt/bitnami/letsencrypt/scripts
sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

GNU nano editor will open, enter the following content into the script and save it depending on if you have Apache or NGINX.

Please remember to replace the CLOUDFLARE_DNS_API_TOKEN value, DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.

For Apache:

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
cd /opt/bitnami/letsencrypt/
sudo CLOUDFLARE_DNS_API_TOKEN=B1oc04NmI3s3T6gGI1JEmoKHN47yjGopUYiOfxKI lego --dns cloudflare --domains domain.com --email paul.peterson@live.com --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

For NGINX:

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop nginx
cd /opt/bitnami/letsencrypt/
sudo CLOUDFLARE_DNS_API_TOKEN=B1oc04NmI3s3T6gGI1JEmoKHN47yjGopUYiOfxKI lego --dns cloudflare --domains domain.com --email paul.peterson@live.com --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start nginx

Then press Ctrl+X to save the script and exit the nano editor.

Next, you need to make the script executable by running the following command:

sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

Next, execute the following command to open the crontab editor.

sudo crontab -e

Choose the easiest nano editor by selecting 1.

And finally, add the following lines to the crontab file and then press Ctrl+X to save it and exit the nano editor.

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

[0 0 1 * *] is equivalent that the script will run automatically once a month at midnight on the first day of the month to renew the Let’s Encrypt Certificate.

Summary

In this guide, we showed you how to renew and generate the Let’s Encrypt Certificate for a website using Cloudflare as a CDN without turning off Cloudflare.

As soon as Cloudflare observed the renewal certificate on the origin server, you will receive a message stating that Cloudflare has observed the issuance of the following certificate for your domain.

Certificate Transparency Monitoring
Certificate Transparency Monitoring

Please note that this requires having the Certificate Transparency Monitoring enabled in Cloudflare to receive an email when a Certificate Authority issues a certificate for your domain.

That’s it there you have it!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Automate Azure VMs Restore with Azure Backup

Passing the Microsoft Sentinel Ninja Training

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!