HomeLab: Nginx-Proxy-Manager: Setup SSL Certificate with Domain Name in Cloudflare DNS
Setting up SSL Certificate for a Domain Name in Cloudflare DNS with the built-in function in Nginx-Proxy-Manager. No need to worry about opening ports since using DNS verification to issue and manage SSL Certification.
Intro
Last time, I installed Nginx-Proxy-Manager by using docoker-compose on Flatcar Container Linux that runs in Raspberry Pi.
Today, I tried to setup Let’s Encrypt SSL Certificate with a Domain Name in Cloudflare DNS.
Overall Steps
- Buy a Domain Name from Cloudflare ( I won’t cover this here )
- Generate a User API Token in Cloudflare
- Add Let’s Encrypt Certificate in Nginx-Proxy-Manager
1. Buy a Domain Name from Cloudflare
For the homelab, it is not really required to buy a domain name. However, after I tried several things with my homelab, I learned that buying and using a specific domain name for the homelab makes things easier.
Also, the domain name with unpopular TLD ( e.g. .party ) is not really expensive. It’s even less than $5 without any promotion, no surprise when renewing the domain name on the following year.
In my case, I just bought one, wowbro.party.
2. Generate a User API Token in Cloudflare
Most of tutorial starts from Nginx-Proxy-Manager UI. However, since Nginx-Proxy-Manager requires the User API Token that is gerated in Cloudflare, I think it’s better to start from Cloudflare step first.
Why need a User API Token?
The Nginx-Proxy-Manager will use the generated API Token in Cloudflare to go through DNS challenge during issuing Let’s Encrypt SSL Certificate.
DNS-01 challenge
This challenge asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. It is harder to configure than HTTP-01, but can work in scenarios that HTTP-01 can’t. It also allows you to issue wildcard certificates.
ref: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
Go to User API Token Creation Menu in Cloudflare
The biggest challenge for me was finding the menu in Cloudflare where I can create the User API Token. It’s well hidden. 😆
- Go to Cloudflare’s Home and select the domain name ( the screenshot on the top-left )
- In the domain’s management UI ( Overview tab ), search and click “Get your API token” ( the screenshot on the top-right )
- On the User API Tokens menu, click “Create Token” ( the screenshot on the bottom-left )
- On the Create API Token menu, click “Get Started” in Custom Token section.
Create User API Token in Cloudflare
- Add description. I put “HomeLab Nginx-Proxy-Manager”
- Add Permissions: Zone | DNS | Edit
- Copy and Keep the User API Token
Now, the User API Token is ready.
3. Add Let’s Encrypt Certificate in Nginx-Proxy-Manager
I set the config for Let’s Encrypt Certificate in Nginx-Proxy-Manager like below.
- Go SSL Certificates menu and click “Add SSL Certificate”
- Fill in the popup form ( Add Let’s Encrypt Certificate ).
- Complete
The details in “Add Let’s Encrypt Certificate”
- Put wildcard domain and the domain name ( wowbro.party and *.wowbro.party )
- Enabled “Use a DNS Challenge”
- DNS Provider: Cloudflare
- Credential File Content: update the value of dns_cloudflare_api_token with the User API Token from Cloudflare
- Propagation Seconds: to be safe, set 120.