Let’s Encrypt DNS challenge with acme.sh and CloudFlare

1 min read

I wrote a small blog post about getting free SSL certificates using Let’s Encrypt. It required outside access for the validations process to work. But now I needed SSL certificates for my local services without public access, this turned out to be very easy using acme.sh DNS challenge and CloudFlare DNS.

First we install it. Notice that I do this as root.

#curl https://get.acme.sh | sh

Then we export two variables needed for the CloudFlare DNS challenge to work. Replace your@mail.com and edfgdfgdfgd with your own values from CloudFlare.

#export CF_Key="edfgdfgdfgd"
#export CF_Email="your@mail.com"

Finally we request the certificate. Replace yourdomain.com with your own domain.

#cd ~/.acme.sh
#./acme.sh --issue --dns dns_cf -d yourdomain.com

This also sets up a cronjob to automatically renew the certificate, you can do an crontab -e to see it. Now that we have a certificate, we can use the same script to install it to a webserver, e.g. NGINX. Again, replace yourdomain.com with your own domain and make sure the key-file and fullchain-file matches that of your NGINX configuration.

#./acme.sh --install-cert -d yourdomain.com \
--cert-file /etc/nginx/ssl/yourdomain.com.cer \
--key-file /etc/nginx/ssl/yourdomain.com.key  \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "service nginx force-reload"

Thats it! Now you have an automatically renewable SSL certificate that works on local networks that are not accessible from the internet.

↑ back to top