Using Cloudflare API Token requires version 2.3.1 of the python module cloudflare.
[Note : Ubuntu / Debian packages likely do not support this version. You should uninstall the provided packages (python3-acme python3-certbot certbot python3-certbot-nginx python3-certbot-dns-cloudflare) and use pip3 instead]
Install the required certbot python modules using the pip3 installer
pip3 install --upgrade pip
pip3 install certbot acme certbot-dns-cloudflare certbot-nginx
Confirm certbot is working
Note : you may need to check where it has been installed (which certbot) and call the direct path.
certbot --version
Generate new Cloudlfare API Token with the required Zone:Zone:Read and Zone:DNS:Edit permissions. This must be applied to all zones in your account.
Store your Cloudflare Token in a secure file.
sudo mkdir /root/.cloudlfare
sudo bash -c 'cat <<EOF > /root/.cloudflare/credentials.ini
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = <YOUR_TOKEN_HERE>
EOF'
sudo chmod 400 /root/.cloudflare/credentials.ini
sudo chmod 600 /root/.cloudflare
Register a new domain registration with Let's Encrypt
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare/credentials.ini -n -d *.<YOUR_DOMAIN_HERE> --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --email <YOUR_EMAIL_HERE>
Reload your web service (apache or nginx)
Create a cronjob to automatically renew the let's Encrypt certificates
sudo bash -c 'cat <<EOF > /etc/cron.d/certbot
0 */12 * * * root certbot -q renew --renew-hook 'service nginx reload' >> /var/log/letsencrypt/renew.log
EOF'