thumb

You’ve set up a nifty home server, perfect for hosting your internal dashboards, file storage, or even your personal blog. There’s just one hiccup—your server isn’t accessible from the Internet. How then do you secure it with an SSL certificate? Fear not! I’ve found myself in a similar situation, and I’ve got a surefire solution for you. In this article, we’ll explore how to use Certbot and the DNS challenge method to get an SSL certificate for a home server that’s not publicly accessible.

Introduction

Setting up a home server opens up a world of possibilities, from hosting your own website to managing your personal cloud. However, security should never be an afterthought. One of the fundamental steps in ensuring the security of your server is implementing an SSL certificate. An SSL certificate encrypts the data between your server and its users, enhancing the overall security profile.

The challenge lies in the mandatory Domain Name System (DNS) validation step, required by the Certificate Authority (CA) to issue an SSL certificate. This process verifies the ownership of the domain name linked to your server. This might seem straightforward for servers that are already online and accessible to the public, but what about home servers that are yet to be exposed to the internet?

That’s where this guide comes in. We’ll delve into how to set up an SSL certificate for your home server using Certbot, a widely-used certificate management tool, in conjunction with the Certbot-DNS-Cloudflare plugin. While this article focuses on servers whose domain names are managed by Cloudflare, similar plugins are available for other providers like DigitalOcean. So let’s get started on fortifying your home server’s security.

Prerequisites

Before diving into the installation process, it’s essential to make sure you have the following prerequisites met:

  1. Domain Name and Cloudflare Account: You should already have a domain name registered and managed through Cloudflare. If you haven’t set this up yet, please do so before continuing.

  2. Ubuntu or Similar OS: This guide is tailored for Ubuntu and similar operating systems like Debian. Ensure you have one of these operating systems installed on the server where you plan to deploy your SSL certificate.

  3. Root or Sudo Access: You’ll need root or sudo access to your server to execute many of the commands required for this installation.

Once you’ve checked off these prerequisites, you’re all set to proceed with installing Certbot and Certbot-DNS-Cloudflare.

Let’s begin


Installing Certbot and the Cloudflare DNS plugin on Ubuntu (and similar operating systems like Debian) becomes a breeze when using snapd, which is the recommended method according to the official Certbot website. Before proceeding, make sure snapd is installed on your system. Start by removing any older versions of Certbot. Then, install both Certbot and its Cloudflare DNS plugin, and create a symbolic link for easy access to the certbot command.

Note: The below commands offer a streamlined way to quickly install Certbot and the Cloudflare DNS plugin. If you’d like a more detailed explanation of each command and the installation process, you can refer to other my article here that delves into how to properly install Certbot and the Cloudflare DNS plugin.

Install Certbot:

sudo apt remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install the Cloudflare DNS plugin for Certbot:

sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-cloudflare

By following these streamlined steps, you’ll have certbot and certbot-dns-cloudflare almost ready to secure your domains with SSL certificates.


Using an API token is generally considered more secure and recommended over using the global API key. With a token, you can limit the permissions and scope of the API access, thereby reducing the potential impact if the token is ever compromised. Using a token is an excellent way to follow the principle of least privilege by only granting the permissions needed to perform DNS validation. This is particularly advantageous in a home server environment.

Log in to your Cloudflare dashboard.

Go to My ProfileAPI TokensCreate Token.

Use the Edit Zone DNS template.

Limit permissions and scope to just the domain you are generating the SSL certificate for.

Click Continue to Summary, and then Create Token.

Copy the generated token immediately, as you won’t be able to view it again.

Note: You should protect these API credentials as you would the password to your Cloudflare account.


We’ll need to set up the Cloudflare credentials appropriately for the certbot-dns-cloudflare plugin to work. This is where we’ll safely store our Cloudflare API token.

Open a text editor to create the credentials file:

sudo nano ~/.secrets/certbot/cloudflare.ini

Add the following line:

dns_cloudflare_api_token = "your-token-here"

Secure the file:

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Run the following command to generate a wildcard SSL certificate for your domain and subdomains:

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  -d "example.com,*.example.com"

Note: The above command is broken down into multiple lines for easier readability. In practice, it is a single command line entry.

Note: Be sure to replace -d "example.com,*.example.com" with your own domain name. The example.com is for the root domain, while *.example.com is a wildcard that covers all subdomains. You can choose to use either or both depending on your needs.

Follow the on-screen instructions. Certbot will automate the DNS challenge process. And voila! You now have a secure home server with a valid SSL certificate, despite it being inaccessible from the Internet.


Certbot packages typically include a cron job or systemd timer to automatically renew the certificates before they expire. In my setup, the systemd timer handles this, making it unnecessary to manually configure a cron job or any other timer for renewal. You can test the automatic renewal process by running the following command:

sudo certbot renew --dry-run

To verify which method is being used for automatic renewal on your system, you can check one of the following locations:

  • /etc/crontab/
  • /etc/cron.*/*
  • systemctl list-timers

  • Don’t forget to configure your firewall to allow HTTPS traffic.

Conclusion

Securing your home server might seem like a complex endeavor, particularly when the server is not yet accessible from the internet. Manually setting up SSL certificates can be a daunting task, especially if you’re dealing with DNS validation and multiple steps of configuration. Thankfully, tools like Certbot and Certbot-DNS-Cloudflare have simplified this process, automating many of the steps involved. By following this step-by-step guide, you should now have a properly installed Certbot and the Certbot-DNS-Cloudflare plugin and ready to create SSL certificate for your domain, managed effortlessly through Cloudflare’s DNS services. However, with the right tools in hand, specifically Certbot and Certbot-DNS-Cloudflare, the task becomes far less intimidating.

I hope this article has aided you successfully obtain an SSL certificate for your home server on Ubuntu or similar OS, even if your server isn’t publicly accessible yet. If you found this article helpful, feel free to leave a comment :smiley:

Thank you for taking the time to read this article. May your home server and any web services you run on it always operate securely!

Additional resources: