Step 1 – Backup Old Certificates#
Before cleaning up, create a backup:
mkdir -p /root/backup_letsencrypt
cp -r /etc/letsencrypt/renewal /root/backup_letsencrypt/
cp -r /etc/letsencrypt/live /root/backup_letsencrypt/
cp -r /etc/letsencrypt/archive /root/backup_letsencrypt/
Step 2 – Remove Broken Configurations#
Delete all broken *.conf files and old certificate folders:
rm /etc/letsencrypt/renewal/<your-domain>*.conf
rm -r /etc/letsencrypt/live/<your-domain>*
rm -r /etc/letsencrypt/archive/<your-domain>*
Step 3 – Prepare Cloudflare Credentials#
(This step is already done if you used my template.)
Create a file containing your Cloudflare API token:
sudo mkdir -p /root/.secrets/
sudo nano /root/.secrets/cloudflare.ini
Content:
dns_cloudflare_api_token = <YOUR_API_TOKEN>
Secure the permissions:
chmod 600 /root/.secrets/cloudflare.ini
Step 4 – Issue a New Certificate#
Request a new certificate using the Cloudflare DNS plugin:
For a single subdomain:
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d <your-domain>
For a wildcard (recommended):
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d <your-domain> -d '*.<your-domain>'
Step 5 – Test Renewal#
Run a dry-run test:
certbot renew --dry-run
If everything works, Certbot will automatically create a valid renewal config file.
Future renewals will then run automatically via the systemd timer (certbot.timer).
✅ Result:
- Old broken certificates have been cleaned up.
- A new certificate was successfully issued.
- Automatic renewal now works reliably again.
