Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
script to install latest certbot with cloudflare dns-01 challenge plugin (for debian 9/stretch)
# Check if user has root privileges
if [[ $EUID -ne 0 ]]; then
echo "You must run the script as root or using sudo"
exit 1
## Reconfigure Dash
echo "dash dash/sh boolean false" | debconf-set-selections
dpkg-reconfigure -f noninteractive dash > /dev/null 2>&1
apt-get update && apt install lsb-release bash debhelper apt-transport-https -y
# get requirements for certbot to grab certs through cloudflare
apt-get install python-pip python-virtualenv python-dev build-essential libssl-dev libffi-dev -y
echo "# certbot with acme v2
deb sid main contrib non-free
deb-src sid main contrib non-free" >> /etc/apt/sources.list
apt-get -t sid install certbot -y
sleep 3
cd /root
git clone
cd certbot
python install
cd certbot-dns-cloudflare
python install
# check if it worked
sleep 1
echo Et voila:
sleep 1
certbot --version
# and now, to install wildcard certs via cloudflare dns-001, do this in one line:
# certbot certonly --server --rsa-key-size 4096 --dns-cloudflare --dns-cloudflare-credentials ~/.ssh/certapi --dns-cloudflare-propagation-seconds 90 -d,*
# Note that --dns-cloudflare-credentials ~/.ssh/certapi is just the file-location I gave as an example.
# /root/.ssh/certapi looks like this:
# #Cloudflare API creds
# dns_cloudflare_email = your@cloudflare.login
# dns_cloudflare_api_key = look-for-this-key-in-your-account-settings-at-cloudflare
# Note that you have to add the naked domain too if you want to have that secured as well (usually you do),
# I don't know why they haven't defaulted with that for wildcard issuance.
# !!! P.S. Be sure to comment the "sid" entries out in /etc/apt/sources.list
# or you'll cause dependency hell with future python installs !!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.