Cloudflare LetsEncrypt DNS Challenge

To securely generate a LetsEncrypt SSL Certificate without leaving ports 443 and 80 open, consider using the Cloudflare LetsEncrypt DNS Challenge. This approach provides a more secure and flexible option for certificate generation.


Setup a self-hosted Hudu instance using the Standard Self-Hosted Setup Guide. Make sure DNS is already verified by Cloudflare.

In the .env file in the ~/hudu2 directory, change VALIDATION from http to dns and add the following lines that are shown in bold:


Run the following commands to install certbot:

sudo apt-get install certbot python3-certbot-nginx
sudo apt-get install python3-certbot-dns-cloudflare

Take Hudu down and back up:

sudo docker compose down && sudo docker compose up -d

Create API Token in Cloudflare

Navigate to My Profile in the top-right of your Cloudflare dashboard.

Select API Tokens from the left-hand sidebar

Select Create Token

Select Edit Zone DNS Use template

Select edit and read permissions for DNS for all zones or the zone of your domain. 



Edit API token and Cloudflare email in the cloudflare.ini file located in /var/www/hudu2/config/dns-conf 

The two lines that should be in the ini file that you'll need to edit:

dns_cloudflare_email =

dns_cloudflare_api_token = f62ab346443fc593333deac6a18dba04532c6

If you wish to use your Cloudflare Global API Key, change the second line to dns_cloudflare_api_key.

Bring Docker down and back up by running:

cd ~/hudu2 sudo docker compose down && sudo docker compose up -d
Was this article helpful?
0 out of 0 found this helpful