Configurig Let's Encrypt with DNS-01 challenge on Debian 10 Buster

While setting this up, I ran into a lot of issues with DNS service APIs not matching what was available in the buster repository and in other scripts that I tried. These are my notes on how to set up Let's Encrypt with a DNS-01 challenge, but the most important part is just knowing what works. I don't want to name the services and tools that didn't, as I expect they'll be updated soon, but as of this writing, if you want things to go quickly and easily, I recommend Cloudflare for DNS, certbot, and python3-certbot-dns-cloudflare.


You can create a Cloudflare account for free. Create a record for the domain for which you want to create a certificate. The domain I was configuring is only used internally, but certbot requires a pre-existing record, so I created a TXT record.


Install Certbot and the Cloudflare DNS plugin:


sudo apt update
sudo apt install certbot python3-certbot-dns-cloudflare


Retrieve your Global API key from Cloudflare. The Cloudflare API supports tokens, but the current version of python3-certbot-dns-cloudflare in Buster does not.


Create /home/username/certbot/cloudflare.ini:


# Cloudflare API credentials used by Certbot
dns_cloudflare_email = your@email.addr
dns_cloudflare_api_key = 111111111111111111111111111111



Create the certificate:


sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /home/username/certbot/cloudflare.ini -d



The certificate is saved to:




The key is saved to:





Content Type: