I use Let's Encrypt for all my certificates.  A lot of people don't like that they expire after 90 days but with the right tools you can easily setup automatic renewals.

The simple and quick instructions below are for installing certbot with cloudflare dns plugin on Ubuntu 20.04  Using the CF DNS plugin means you don't have to manually update DNS TXT record to prove domain ownership!  Let's get started.

1. Install Certbot first using SNAP.  Make sure you have not already installed using APT.  If you have, first run the command below to uninstall

sudo apt remove certbot


sudo snap install --classic certbot

Followed by the command below which enables plugins to be used.  This is a security feature.

sudo snap set certbot trust-plugin-with-root=ok

2. Next install the Cloudflare Certbot DNS plugin

sudo snap install certbot-dns-cloudflare

3. Next follow all the commands below in consecutive order to create a .secrets secure folder and a cloudflare.ini containing the Restricted API key.  Be sure to run all commands as root.

CD to ~ 
mkdir .secrets
# create ini file containing the API Key you create in Cloudflare portal.  Be sure to create a Restricted Token and do not use the Global API Key
cd .secrets/

nano cloudflare.ini
# copy the text below into cloudflare.ini file using nano
dns_cloudflare_api_token = YOURTOKENHERE
#CTRL+X to save and close the file

 4. Now you should be able to run the command to request the Certificate and the plugin will create and delete a TXT file for you.

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d "*.example.net"

That's it!  Another cool thing is certbot will create a CRON job to automatically renew your cert.