πŸ” How to Renew SSL with Cloudflare Proxy Enabled (LiteSpeed + cPanel + CloudLinux + Imunify360)

By /

Using Cloudflare’s proxy (orange cloud ☁️) can block standard HTTP validation (port 80). This guide shows how to issue and renew SSL certificates using DNS-01 challenge via certbot-dns-cloudflare, compatible with:

  • LiteSpeed Enterprise
  • CloudLinux 9
  • cPanel
  • Imunify360

βœ… Requirements

  • Domain DNS managed by Cloudflare
  • cPanel server with CloudLinux 9 + LiteSpeed
  • Root SSH access
  • Cloudflare API Token
  • certbot + certbot-dns-cloudflare installed

🧩 Step 1: Install Certbot and Cloudflare DNS Plugin

dnf install epel-release -y
dnf install certbot python3-certbot-dns-cloudflare -y

If you prefer pip:

pip install certbot certbot-dns-cloudflare

πŸ” Step 2: Create Cloudflare API Token

  1. Log in to Cloudflare Dashboard
  2. Navigate to My Profile > API Tokens > Create Token
  3. Use template: Edit zone DNS
  4. Restrict to your domain
  5. Copy the token β€” keep it safe

πŸ“ Step 3: Store Cloudflare Credentials

Create a secure credentials file:

mkdir -p /root/.secrets/certbot
nano /root/.secrets/certbot/cloudflare.ini

Add:

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

Set secure permissions:

chmod 600 /root/.secrets/certbot/cloudflare.ini

πŸ§ͺ Step 4: Issue or Renew Certificate

Replace example.com with your domain:

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
  -d example.com -d www.example.com

Certs will be stored at:

/etc/letsencrypt/live/example.com/

πŸ” Step 5: Automate SSL Renewal

Edit root’s crontab:

crontab -e

Add:

0 4 * * * certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini --quiet --deploy-hook "/usr/local/lsws/bin/lswsctrl restart"

This:

  • Renews expiring certs
  • Restarts LiteSpeed on successful renewal

🌐 Step 6: Connect SSL in cPanel + LiteSpeed

Even though certs are issued via CLI, you must map them to cPanel and LiteSpeed.

Option 1: Link Files to cPanel User Path

Replace cpuser with the cPanel username:

mkdir -p /var/cpanel/ssl/apache_tls/cpuser
ln -sf /etc/letsencrypt/live/example.com/privkey.pem /var/cpanel/ssl/apache_tls/cpuser/privkey.pem
ln -sf /etc/letsencrypt/live/example.com/fullchain.pem /var/cpanel/ssl/apache_tls/cpuser/cert.pem

Then run:

/scripts/restartsrv_httpd
/usr/local/lsws/bin/lswsctrl restart

Option 2: Import Cert via WHM

WHM β†’ Install an SSL Certificate on a Domain
Paste in:

  • Cert: fullchain.pem
  • Key: privkey.pem

πŸ”’ Step 7: Confirm Cloudflare Mode

Go to Cloudflare Dashboard > SSL/TLS β†’ Overview

  • Set to Full (Strict) for proper validation end-to-end

🧹 Imunify360 Compatibility

Imunify360 will not block DNS validation via Cloudflare. No extra exclusions required. Just ensure Imunify360 is not rate-limiting Let’s Encrypt IPs if you issue frequently.

To review logs:

tail -f /var/log/imunify360/console.log

🧭 Summary

ComponentAction
Certbot + PluginInstall certbot-dns-cloudflare
Cloudflare TokenGenerate and store in secure file
SSL IssuanceUse DNS-01 via certbot certonly
Renewal CronAdd certbot renew + restart LiteSpeed
cPanel IntegrationLink or import certs to user’s domain
Cloudflare ModeUse Full (Strict) for HTTPS end-to-end
Scroll to Top