Most everything makes use of ACME.sh, with auto-renewing certificates from LetsEncrypt and Cloudflare domain verification.
CRT.sh is a good resource for viewing certificates issued for a domain
1. Set environment variables
export CF_Token="pybhqsynervfirelpbby" export CF_Account_ID="pybhqsynervfirelpbby" export CF_Zone_ID="pybhqsynervfirelpbby"
2. Generate cert
acme.sh --issue --dns dns_cf -d example.com
acme.sh --issue -d example.com -w /var/www/example.com/
export DOMAIN=example.com # 1. Create Certificate Path mkdir -p /etc/nginx/acme.sh/${DOMAIN}/ # 2. Tell acme.sh about it acme.sh --install-cert -d ${DOMAIN} \ --cert-file /etc/nginx/acme.sh/${DOMAIN}/cert \ --key-file /etc/nginx/acme.sh/${DOMAIN}/key \ --fullchain-file /etc/nginx/acme.sh/${DOMAIN}/fullchain \ --reloadcmd "systemctl reload nginx.service"
Then in NGINX config…
ssl_certificate /etc/nginx/acme.sh/example.com/fullchain; ssl_certificate_key /etc/nginx/acme.sh/example.com/key;