Get your Cloudflare API token
In the Cloudflare dashboard, create an API token with Zone → DNS → Edit permission scoped to the zone (or zones) you want Certplane to manage. Do not use a Global API Key — a scoped token limits the blast radius if the credential is ever exposed.Once you have the token, note its value. You’ll store it in the next step.
Store the token
The simplest approach is the With
env secrets provider. Export the token as an environment variable before starting the broker:secrets.provider: env the broker reads the environment variable whose name appears in acme.credentials. To load credentials from a file or from Vault/OpenBao instead, see Secrets providers and the Vault and OpenBao secrets guide.Configure the broker
Edit your The
broker.yml to point the issuer block at the Let’s Encrypt staging directory and configure the Cloudflare DNS provider. Start with staging so you can confirm everything works without burning production rate limits.account_key must be the path to the EC private key you generated above. The account_email is the address Let’s Encrypt uses to send expiry warnings; it does not need to match any DNS record.Create a wildcard profile in policy.yml
Add a profile that requests a wildcard certificate using the dns-01 challenge. The Then allow the relevant host to request this profile:
credentials value is the name of the secret as interpreted by your configured secrets provider — for the env provider, this is the environment variable name.Let’s Encrypt ignores the
ttl field at issuance time and always issues certificates valid for 90 days. The renew_before value controls when Certplane proactively renews — the default of 720h (30 days) is a sensible starting point.Test with staging, then switch to production
Restart the broker and trigger a certificate request from an agent. Staging certificates are signed by a fake CA that browsers do not trust, but they are structurally identical to production ones — any configuration errors will surface here.Once the staging certificate is issued successfully, switch the broker to the production directory:Restart the broker. The next renewal cycle (or a forced re-request) will obtain a production certificate trusted by all major browsers and operating systems.