diff --git a/.gitattributes b/.gitattributes
index 7a0bff3..56bc5ec 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 files/AdGuardHome.yaml filter=git-crypt diff=git-crypt
+files/dns-cloudflare.ini filter=git-crypt diff=git-crypt
 
diff --git a/deploy.py b/deploy.py
index 63cd72f..08cf2bb 100644
--- a/deploy.py
+++ b/deploy.py
@@ -54,16 +54,28 @@ server.shell(
     commands=['yes | ufw enable'],
 )
 
-apt.packages(
+server.shell(
     name='Install certbot',
-    packages=['certbot'],
-    update=False,
+    commands=[
+        'snap install --classic certbot',
+        'snap set certbot trust-plugin-with-root=ok',
+        'snap install certbot-dns-cloudflare' 
+    ],
+)
+
+files.put(
+    name='Put certbot-dns-cloudflare config file',
+    src='files/dns-cloudflare.ini',
+    dest='/etc/letsencrypt/dns-cloudflare.ini',
+    mode='400',
 )
 
 if not host.fact.directory('/etc/letsencrypt/live/dns.benpro.fr'):
     server.shell(
         name='Add certificate',
-        commands=['certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --standalone -d dns.benpro.fr'],
+        commands=[
+            'certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dns-cloudflare.ini -d dns.benpro.fr,*.dns.benpro.fr --preferred-challenges dns-01'
+        ],
     )
 
 server.group(
diff --git a/files/dns-cloudflare.ini b/files/dns-cloudflare.ini
new file mode 100644
index 0000000..333bc9a
Binary files /dev/null and b/files/dns-cloudflare.ini differ