To securely generate a LetsEncrypt SSL Certificate without leaving ports 443 and 80 open, consider using the Cloudflare LetsEncrypt DNS Challenge. This approach provides a more secure and flexible option for certificate generation.
Guides
Setup a self-hosted Hudu instance using the Standard Self-Hosted Setup Guide. Make sure DNS is already verified by Cloudflare.
In the .env file in the ~/hudu2 directory, change VALIDATION from http to dns and add the following lines that are shown in bold:
PUID=1000
PGID=1000
ONLY_SUBDOMAINS=true
VALIDATION=dns
DNSPLUGIN=Cloudflare
EMAIL=example@example.com
STAGING=false
Run the following commands to install certbot:
sudo apt-get install certbot python3-certbot-nginx
sudo apt-get install python3-certbot-dns-cloudflare
Take Hudu down and back up:
sudo docker compose down && sudo docker compose up -d
Create API Token in Cloudflare
Navigate to My Profile in the top-right of your Cloudflare dashboard.
Select API Tokens from the left-hand sidebar
Select Create Token
Select Edit Zone DNS Use template
Select edit and read permissions for DNS for all zones or the zone of your domain.
Edit API token and Cloudflare email in the cloudflare.ini file located in /var/www/hudu2/config/dns-conf
The two lines that should be in the ini file that you'll need to edit:
dns_cloudflare_email = example@example.com - comment this out if using api token, it is not necessary
dns_cloudflare_api_token = f62ab346443fc593333deac6a18dba04532c6
If using API token, run:
certbot certonly --manual --preferred-challenges dns -d yourdomain.com
Copy the 'unique_token_provided_by_cerbot' value.
Then create a TXT record for:
_acme-challenge.yourdomain.com
Pasting the 'unique_token_provided_by_certbot' into the Content of the TXT record.
If you wish to use your Cloudflare Global API Key, change the second line to dns_cloudflare_api_key and include the dns_cloudflare_email line.
Bring Docker down and back up by running:
cd ~/hudu2 sudo docker compose down && sudo docker compose up -d