Skip to content

Instantly share code, notes, and snippets.

Last active July 20, 2023 15:05
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save gilangvperdana/d974fb40b8c7f05f5f345ba3a3d93bdc to your computer and use it in GitHub Desktop.
Generate Wild Card TLS Certificate Cloudflare DNS Management


This tutorial tested on Ubuntu Server 20.04 with Cloudflare for DNS Management.


  • Make sure you have generated API Token with specific zone and DNS read & write permission.

Create cloudflare.ini

nano /root/cf/cloudflare.ini
# Cloudflare API credentials
#dns_cloudflare_email =
dns_cloudflare_api_token = yourCFAPITOKEN
sudo chmod 600 /root/cf/cloudflare.ini

Install Certbot

sudo apt install python3-virtualenv
python3 -m virtualenv certbot-env
source certbot-env/bin/activate
pip install certbot
pip install certbot certbot-dns-cloudflare
pip install --upgrade cloudflare

## Fix error `X509_V_FLAG_CB_ISSUER_CHECK` 
sudo rm -rf /usr/lib/python3/dist-packages/OpenSSL
sudo pip3 install pyopenssl
sudo pip3 install pyopenssl --upgrade
pip install --upgrade certbot
pip install --upgrade pip
pip freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip install -U
sudo apt remove certbot
sudo apt autoremove
sudo apt install certbot

Generate Wild Card

certbot certonly --manual --preferred-challenges=dns --dns-cloudflare --dns-cloudflare-credentials /root/cf/cloudflare.ini -d *

Not CF

sudo certbot certonly --manual --preferred-challenges=dns --email --server --agree-tos -d *.*


if you don't use cloudflare as the dns management, you can look for dns plugin packages for the wildcards of each provider.


If you implement an wildcard domain, you can use dynamic nginx block of server name (if you have an apps on Nginx Ingress K8s -> Just one IP Ingresses with different domain)

server {
    listen 80;
    server_name ~^(\w+)\.lab1\.domain\.com$;
    return 301 https://$host$request_uri;

server {
    listen 443 ssl;

    server_name ~^(\w+)\.lab1\.domain\.com$;
    ssl_certificate /root/cert/fullchain.pem;
    ssl_certificate_key /root/cert/privkey.pem;

    location / {
        proxy_set_header host $host;
  • These nginx block can dynamicly expose server name * on, so if you make an ingresses with new sub domain * on it's will automaticly expose publicly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment