Been using letsencrypt for couple of years and manually generate using certbot whenever certificates expired. Yesterday taking sometime to upgrade certbot packages and set up some automation for renewal.
I have removed old certbot packages which was installed using yum and then use snap to install new certbot. You can refer to their guides to install snap which is very helpful and just follows accordingly to their instructions – here –
https://certbot.eff.org/instructions?ws=haproxy&os=centosrhel7
So new certbot supports several dns plugins which one of it is Cloudflare and coincidently using it at the moment.
https://certbot-dns-cloudflare.readthedocs.io/en/stable/
However, you have to generate Cloudflare token and keep it in a secret file. Keep it somewhere safe before certbot can start using it.
Once you have all ready you can generate SSL certificate for once to generate initial configurations before new renewal process can use same configurations.
This is the command that Im using to generate SSL for primary domain and wildcard SSL for subdomain. Basically if you look at the configs file, you wont be able to see the difference but the certificates will cover both types.
# certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secret/certbot/cloudflare.ini -d *.azmi.my -d azmi.my
Once you have generated the certificates, you can deploy to your reverse proxy in this case is HAProxy and reload the service.
So to automate this, Im using cronjob and very simple script so it will run renewal script every week. Once its found out expiry date is near it will renew the certificates, deploy new certificates and reload the service.