Renew Certificate for Cloudflare DNS
To check the status of certiuficate managed by certbot
sudo certbot certificates
Sometimes The 403 Forbidden error happens because your domain my.example.com is routed through Cloudflare
When Let's Encrypt tries to perform the HTTP-01 challenge by visiting https://my.example.com/.well-known/acme-challenge/..., Cloudflare features like Bot Fight Mode, WAF firewall rules, or "Always use HTTPS" redirect loops block the automated request.
The best and most reliable way to fix this while ensuring seamless auto-renewal is to switch from the HTTP challenge to the DNS-01 challenge using the Certbot Cloudflare plugin. Instead of serving a file over the web, Certbot will talk directly to Cloudflare’s API, briefly create a temporary TXT record, and validate ownership natively.
Here is how you can set it up:
Step 1: Create a Restricted Cloudflare API Token
- Log in to your Cloudflare Dashboard.
- Go to My Profile > API Tokens > click Create Token.
- Choose the Edit zone DNS template.
- Under Zone Resources, select:
Include->Specific Zone->kamlatech.in. - Click Continue to summary, then Create Token and copy the generated token.
Step 2: Configure the Credentials on Your Server
Log into your server via SSH and save your API token safely.
- Create a secrets directory and configuration file:
sudo mkdir -p /etc/letsencrypt/
sudo nano /etc/letsencrypt/cloudflare.ini
- Paste the following line into the file (replace with your actual token):
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_HERE
- Secure the file permissions so only root can read it:
sudo chmod 600 /etc/letsencrypt/cloudflare.ini
Step 3: Install the Plugin and Issue the Certificate
Install the Cloudflare DNS plugin and run Certbot using the DNS challenge.
For Ubuntu/Debian (using apt):
sudo apt update
sudo apt install python3-certbot-dns-cloudflare
Run the Certbot command:
sudo certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
-d my.example.com \
--preferred-challenges dns-01
(If prompted, select option 2 to renew and replace the existing broken configuration).
Ensuring Auto-Renew Works Permanently
Because you ran the command specifying --dns-cloudflare and the credentials file, Certbot automatically saves these preferences into the renewal configuration file located at /etc/letsencrypt/renewal/my.example.com.conf.
You do not need to rewrite your cron jobs. When Certbot's daily background timer triggers certbot renew, it reads that configuration file and will automatically use the Cloudflare API to perform the challenge without ever hitting your website's port 80/443 again.
Test that auto-renewal works perfectly:
sudo certbot renew --dry-run
If the dry run reports success, your auto-renewals are completely hands-off and bulletproof against future Cloudflare blockages!