Welcome to Centmin Mod Community
Become a Member

Beta Branch acmetool.sh 1.0.64 prep Cloudflare API Token support in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Aug 25, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    acmetool.sh 1.0.64 prep Cloudflare API Token support in 123.09beta01

    For addons/acmetool.sh letsencrypt ssl cert issuance via Cloudflare DNS API, add preliminary support for Cloudflare API Tokens instead of using Cloudflare Account Global API Key. So instead of setting in persistent config file at /etc/centminmod/custom_config.inc

    for CF Global API Key the variables
    Code (Text):
    CF_DNSAPI='y'
    CF_KEY='YOUR_CF_GLOBAL_API_KEY'
    CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

    use instead CF created API Token variables
    Code (Text):
    CF_DNSAPI='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"

    where CF API Tokens require

    1. Create your Cloudflare Token API with permissions for read access to Zone.Zone, and edit/write access to Zone.DNS, across all Zones.
    2. Grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing

    Continue reading...

    123.09beta01 branch

     
  2. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Also added a command option to check Cloudflare Global API key and API Tokens are working via acmetool.sh check_cfapi command.

    Example when neither CF Globale API Key or API Tokens are setupin persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    No Cloudflare Global API Key or API Token detected

    If Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    CF_DNSAPI='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    

    If Cloudflare Global API Key is set in persistent config file at /etc/centminmod/custom_config.inc
    Code (Text):
    CF_DNSAPI='y'
    CF_KEY='YOUR_CF_GLOBAL_API_KEY'
    CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'
    

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi       
    
    Verifying working Cloudflare DNS API Credentials
    CF Global API Key detected
    Ok: CF Global API works

    If Both Cloudflare Global API key and Cloudflare API Token are set in persistent config file at /etc/centminmod/custom_config.inc, then acmetool.sh will use Cloudflare API Tokens
    Code (Text):
    CF_DNSAPI='y'
    # api token
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    # global api key
    CF_KEY='YOUR_CF_GLOBAL_API_KEY'
    CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

    Code (Text):
    cd /usr/local/src/centminmod/addons
    echo y | ./acmetool.sh check_cfapi
    
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
     
  3. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    Nice Update! Finally :p

    How can i reissue the cert of a existing vhost ?
    I think how it works, but i dont want to break anything.

    i have tried it with acme-menu and number 9: Renew ALL LIVE Certs HTTPS Default.
    But it is not using the DNS.
    When i test it with the echo command everything is okay.
    Where is the problem ?

    regards.
     
  4. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    Tried on another Server and created a new vhost and successfully created the letsencrypt cert with dns mode.
    Dont know why reissueing not works
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    The check is just a check that Cloudflare API credentials are working and not a check that letsencrypt DNS validation is working.

    This doesn't work in acme menu mode and only works with specific Cloudflare API DNS Mode for certonly-issue mode for standalone mode outside of any centmin.sh menu option 2, 22 or nv methods so not intended for your what you expected usage for centmin.sh menu option 2, 22 or nv

    certonly-issue mode outlined here
     
  6. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    Okay mhm.

    I created with Centmin Menu 22 a new Wordpress Vhost and there it has worked with DNS Mode and sucessfully got the Cert.

    But thanks for answer!
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    actually you're right centmin.sh menu option 22 does support CF DNS API mode :) :oops: Don't remember how though - it's been a while - actually not too sure as I don't see it in acmetool.sh code I wrote. Guess will need to look it over again :)

    You can verify letsencrypt acme.sh client's domain validation method via this command replace yourdomain.com in domain= variable with your wordpress domain and see what the output is
    Code (Text):
    domain=yourdomain.com
    cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot                                  
    

    output for traditional webroot domain authentication and not CF DNS would return output
    Code (Text):
    cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot                                  
    Le_Webroot='/home/nginx/domains/yourdomain.com/public'


    If using CF DNS mode would return a value = dns_cf
    Code (Text):
    cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot
    Le_Webroot='dns_cf'
    
     
    Last edited: Aug 26, 2020
  8. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    Mhm it calls traditional method.

    But im sure at issueing the vhost, it called something with dns api mode...
     
  9. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    My bad. Sorry. Just watched false. It was done with http 01.

    But maybe there is a possibility to integrate this in vhost creation. Would be nice i think.

    Regards.
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Yes that is the long term plan to integrate with centmin.sh menu option 2, 22 and nv command. This update is one step closer to it :)

    I didn't do it originally as I'm not fond of promoting using Cloudflare Global API key which is CF account wide. acme.sh client only supported CF Global API key initially which mean if your server is compromised and attacker finds your CF Global API key, they would have full control over all domains within your CF Account !!!! But now that acme.sh client supports CF API Tokens, you can restrict permissions to just DNS (yes still bad not as bad as full CF account control).
     
  11. hazehs

    hazehs New Member

    25
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    11:09 AM
    NGINX 1.18
    MariaDB 10.4
    Yeah thats bullshit or just use one domain per mail. Thats it how i handle it easy.
    But using the global key is bullshit, yep.
     
  12. eva2000

    eva2000 Administrator Staff Member

    45,201
    10,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,933
    Local Time:
    9:09 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    The other thing to consider is what if the intended Nginx domain you want letsencrypt for is on different Cloudflare accounts from a previous or future domain ? As acme.sh client which acmetool.sh uses only really supports one Cloudflare account at a time as far as I know. So that's one thing to consider versus using default web root authentication that is used right now.

    Personally, I have a lot of domains spread across different Cloudflare accounts so there's a chance a Centmin Mod server hosting some domains that belong to more than one Cloudflare account. Though CF API Token seems to support multiple Cloudflare accounts if you create the CF API Token from a CF account which has invited admin access to multiple CF accounts.