Sys_Bot is a Telegram bot I built for streamlining domain management and security operations. It integrates Cloudflare DNS management, Let’s Encrypt SSL certificate automation with DNS-01 challenges, blacklist management with HMAC-secured API, and user registration with admin approval — all through an intuitive menu-driven Telegram interface. This Cloudflare Telegram bot eliminates the need to log into multiple dashboards for routine infrastructure tasks.
Why a Cloudflare Telegram Bot
Managing DNS records, SSL certificates, and security blacklists across multiple domains means juggling the Cloudflare dashboard, certbot CLI, and various APIs. I needed a single interface accessible from my phone that my team could also use with proper access control. Telegram was the natural choice — always available, supports file transfers for certificates, and inline keyboards provide a clean UX.
Core Features
- Cloudflare DNS — add, update, delete, list TXT records. Domain restoration by fetching existing records from Cloudflare API
- Let’s Encrypt SSL — fully automated certificate generation: ACME client integration, DNS-01 challenge handling (creates and verifies TXT records), generates .key + .cer files, creates PKCS#12 .pfx for IIS import with secure password
- Blacklist management — view and add domains with HMAC-signed API communication
- User access control — registration requests, admin approval via inline buttons, role-based access
- Secure file delivery — .key, .cer, .pfx files sent directly to authorized Telegram users
SSL Certificate Automation
The Let’s Encrypt integration is the most valuable feature. The bot handles the entire ACME flow: creates the DNS-01 challenge TXT record in Cloudflare, waits for propagation, validates with Let’s Encrypt, downloads the certificate, generates a PFX file with a secure password, and sends everything to the requesting admin via Telegram. What used to be a 15-minute manual process is now a single button press.
Technology Stack
- Runtime: Node.js with Telegraf framework
- APIs: Cloudflare API (DNS), Let’s Encrypt ACME, custom blacklist API
- Crypto: node-forge for PFX generation, HMAC signatures for API security
- Deployment: Docker + Docker Compose
- Storage: JSON files for domain records, user registrations, and logs
Practical Application
As a Fractional CTO, I manage infrastructure for multiple clients. This bot runs on a central server and handles DNS operations for all managed domains. The access control system means I can grant specific team members the ability to issue certificates or manage DNS without giving them Cloudflare dashboard access — a critical security consideration.
The source code is available upon request. Contact me for access or consulting on infrastructure automation.
FAQ
How does the SSL automation handle DNS propagation?
After creating the TXT record via Cloudflare API, the bot polls DNS resolvers until the record propagates, then triggers ACME validation. The entire process typically completes in 1-3 minutes.
Can multiple users manage different domains?
Yes. The registration system with admin approval allows granular access control. Administrators approve each user via inline Telegram buttons.
Is the PFX file secure during transfer?
PFX files are generated with a unique secure password and sent via Telegram’s encrypted transport. The password is communicated separately. Files are not stored on disk after delivery.
Does it support wildcard certificates?
Yes. DNS-01 challenges support wildcard certificates natively, which is one reason this approach was chosen over HTTP-01 validation.
