In times of HTTPS-only browsers, SameSite cookies, and realistic development conditions, it's important to work locally with genuine SSL certificates. Let's Encrypt has pioneered this approach – with the help of certbot and Cloudflare , creating and renewing wildcard certificates is quick and easy. This allows you to access your web projects encrypted on any device (smartphone, VM, etc.) on the local network or via VPN.
We first register a developer domain with Cloudflare, for example vielhuber.dev:
We now let this domain point to its own local IP address (for example 192.168.0.2). To do this, create the following DNS A records (important: The proxy status must be set to gray/DNS-only be set):
| Type | Name | Contents |
|---|---|---|
| A | @ | 192.168.0.2 |
| A | * | 192.168.0.2 |
To validate wildcard certificates, it is necessary to set TXT records automatically. To do this, we now create an API token (Profile > API Tokens > Create Token > Template: Edit zone DNS) and select the domain.:
Finally, we set up certbot:
sudo apt install certbot python3-certbot-dns-cloudflare
pip install --upgrade pyOpenSSL cryptography certbot certbot-dns-cloudflareNow we deposit the previously generated API token:
mkdir -p ~/.secrets/certbot
nano ~/.secrets/certbot/cloudflare.ini
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN_WITH_EDIT_ZONE_DNS_PERMISSIONS
chmod 600 ~/.secrets/certbot/cloudflare.iniFinally, we request a certificate:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
--dns-cloudflare-propagation-seconds 60 \
-d '*.vielhuber.dev' -d vielhuber.dev \
--agree-tos \
--email david@vielhuber.de \
--non-interactiveAutomatic renewal is also quick to set up. To prevent certbot from automatically running at random times every 12 hours, we first deactivate the default script and add our own.:
sudo mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
( crontab -l 2>/dev/null; echo "0 12 * * * certbot renew --quiet" ) | crontab -
certbot renew --dry-runThis is all that is needed: To integrate into Apache, you refer to the certificates you have just created in the Apache configuration in your projects (e.g. /etc/apache2/sites-available/project-xy.conf):
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vielhuber.dev/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vielhuber.dev/privkey.pemAfter an Apache restart (sudo systemctl reload apache2) the certificates are then already active and you can access your projects with https://project-xy.vielhuber.dev.
With a little initial effort, you can set up a local development environment with real wildcard certificates that is not only realistic but also works seamlessly with modern browsers, APIs, and devices. Thanks to DNS-01 verification, you don't need a publicly accessible server or manual certificate requests – everything is automated, secure, and reliable.