Install the packages

sudo apt install certbot python3-certbot-dns-cloudflare -y

Create a token on Cloudflare

To create an API token in Cloudflare. Click on your profile icon at the top right corner.

At the left panel is the option to select "API Tokens". Select the option to create a custom token

In the Create Custom Token wizard:

Token name: cf_example.com

Permissions:

Zone → DNS → Edit

Zone → Zone → Read

Zone Resources

It is recommended to specify a zone. If your domain is example.com, select that one

Client IP Filtering

It is recommended to specify a range or a specific IP for example 192.168.1.0/24 or 192.168.1.88

Configure the token

mkdir -p ~/.secrets/cloudflare/
vi ~/.secrets/cloudflare/cf_example.com.ini

dns_cloudflare_api_token = the_generated_token

chmod 700 ~/.secrets/cloudflare
chmod 600 ~/.secrets/cloudflare/cf_example.com.ini

sudo certbot certonly --non-interactive --agree-tos --email [email protected] --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare/cf_example.com.ini -d "*.example.com"

Set the DNS records in Cloudflare

For this example we just use the A-record.

Select "add record" and in the type drop-down choose for option A

Under name insert the subdomain you want

Under IPv4 insert the LAN address for example: 192.168.1.88

Disable the proxy status