Origin Certificate x Lets Encrypt 3 months cert

I have a wildcard on server1 issued to domain and www.domain.

Also, I am trying to install a CRM app on server2 using a subdomain of server1, having created an A record for the new IP:

subdomain.domain.app > new IP.

Have you tried using certbot’s DNS-based verification? This requires the certbot-dns-Cloudflare plugin (I installed it via snap). Here’s how I do the certificate for my VPS:

certbot certonly --rsa-key-size 4096 --must-staple --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini -d example.com -d *.example.com

This gives a certificate for example.com and *.example.com covering all first-level subdomains. If you have multiple domains you can include them all.

You’ll need to generate a Cloudflare API token in your profile & give it “Edit zone DNS” permission. Then put the token in Cloudflare.ini like this

dns_cloudflare_api_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Be careful with the token obviously

(I use “certonly” mode & then edit my Apache configuration manually because I don’t really like it getting messed with without without my oversight)

3 Likes

@user4358 thanks I will try it.

do I need to edit -size 4096?

Your preference; I use 4096-bit in order to get 100% on the SSL Labs security test but the default is probably good enough for most purposes

2 Likes

Could you be so kind to say in which directory I have to create the credential file? Yours is: /root/Cloudflare.ini.
I am reading the doc
plugin documentation

…but not really experienced with this… thanks a million for the help.

ps. I double checked and my server1 is already using Cloudflare cert. Server2, which will have one subdomain of the domain in server1, will now have to contain the credential, but I am thinking I don’t need to issue a wildcard anymore…

Put the credentials file wherever you want. I keep it in my home directory on my server, with the file permissions set to 600. It’s an API key so you don’t want anybody to be able to access it.

1 Like

After getting the certificate using the appointed Cloudflare api, I started getting Error 523 not only on the subdomain but the domain too.
If I turn on Cloudflare, error 523.
If I pause it, than sometimes 502 for sub and ok for domain, ns lookup also finds CNAME and so on.
domain: theapothecary.app
sub: m.theapothecary.app

thanks for helping.