Linode instance SSL installation and auto DNS assignment with Cloudflare

Here it’s my implementation.

resource "linode_instance" "server" {
  count  = 0
  label  = "server-${count.index}"
  region = "ap-west"
  image  = "linode/ubuntu21.10"
  type   = "g6-nanode-1"
  tags   = ["prod"]
  root_pass      = var.linode_instance_root_password
  stackscript_id =
resource "cloudflare_record" "server" {
  zone_id = var.cloudflare_zone_id
  name    = "server-${count.index}"
  count   = "${length(linode_instance.server)}"
  value   = "${linode_instance.server[count.index].ip_address}"
  ttl     = 1
  type    = "A"

I can create certificate.pem and privatekey.pem files with certbot in Linode Script however since I create the DNS resource after the Linode instance creation it’s not possible to do that. What are the best practices for this?

Note: I want to install certificate directly to server, I don’t want to use any proxy.

Hi @BySpecops,

From your description I understand that you intend to run Certbot inside the Linode instance in order to obtain a TLS certificate for the DNS record described by cloudflare_record.server.

Since Terraform cannot itself control or monitor the software running inside the Linode instance, I think here you’ll need to design your “stack script” to periodically retry running Certbot until it succeeds, so that the DNS record creation can happen at some point after the instance is already running, once the hostname begins resolving.

I think Terraform is not really the ideal tool to orchestrate a multi-step serial process like this, because it involves running software inside a virtual machine, whereas Terraform is typically responsible only for launching virtual machines. Another alternative would be to use DNS-based verification driven by Certbot itself, using certbot-dns-cloudflare, which would then allow the scripts in your VM to be entirely responsible for the process, including the creation of the DNS record needed for verification. (I believe the DNS verification record is separate from the one users would use to access the server, so Terraform could still be responsible for the server’s main DNS record.)

A further option would be to manage the entire certificate process with Terraform, using the third-party provider vancluever/acme. In that case the Terraform provider would be the one to request the certificate, and then you’d pass that certificate to the virtual machine somehow so it can use it. However, that would have the disadvantage that you’d need to re-run Terraform periodically in order to renew the certificate, and that your private key would be included in your Terraform state snapshots so you would need to store them carefully.

Hi @apparentlymart ,

I’ve already prepared the script and I’m able to run certbot in the machine but the problem is that I need wildcard certification since I will run multiple servers.

With the Cloudflare origin certificate, I was able to do that, however, for that, I need to proxy the DNS. This is something that I don’t want to do because my server will run a real-time application. That’s why for me it’s important to set up the wildcard certificates or different certificates for each server (the challenge with setting up a separate domain is that in my Stack Script as you can guess from the above script that I’ve shared it’s not possible provide the DNS name because it has a dependency to linode instance)

I’ve also asked on StackOverflow sites for further information and described what I’m trying to do in different manners.