Prepare
sudo yum install certbot nginx -y
sudo apt install certbot nginx -y
Single domain certificate
Apply single domain certificate
certbot certonly --manual -d test.ydam.ooo
certbot certonly -d test.ydam.ooo
# /usr/share/nginx/html
https://certbot.eff.org/docs/using.html?highlight=renew#changing-a-certificate-s-domains
Auto renew
Edit /etc/crontab and add
43 6 * * * certbot renew --renew-hook "systemctl reload nginx"
https://serverfault.com/questions/790772/cron-job-for-lets-encrypt-renewal
Wildcard certificate
Apply wildcard certificate
Get cloudflare api token as cloudflare.ini and place as /root/.secrets/cloudflare.ini
cloudflare.ini
dns_cloudflare_email = example@example.com
dns_cloudflare_api_key = example
The directory and file should only be accessible by root
sudo chmod 0700 /root/.secrets/
sudo chmod 0400 /root/.secrets/cloudflare.ini
Install certbot-dns-cloudflare
sudo apt-get install certbot python-certbot-nginx python3-certbot-dns-cloudflare -y
# use python3-certbot-dns-cloudflare
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d ydam.org,*.ydam.org --preferred-challenges dns-01
# manual
# certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory -d *.ydam.top -d ydam.top
Auto renew with Cloudflare
# test renew
certbot renew --dry-run
# crontab
14 5 * * * /usr/bin/certbot renew --quiet --renew-hook "systemctl reload nginx"