Beta Branch acmetool.sh 1.0.64 prep Cloudflare API Token support in 123.09beta01

acmetool.sh 1.0.64 prep Cloudflare API Token support in 123.09beta01

For addons/acmetool.sh letsencrypt ssl cert issuance via Cloudflare DNS API, add preliminary support for Cloudflare API Tokens instead of using Cloudflare Account Global API Key. So instead of setting in persistent config file at /etc/centminmod/custom_config.inc

for CF Global API Key the variables

Code (Text):

CF_DNSAPI='y'
CF_KEY='YOUR_CF_GLOBAL_API_KEY'
CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

use instead CF created API Token variables

Code (Text):

CF_DNSAPI='y'
CF_Token="YOUR_CF_TOKEN"
CF_Account_ID="YOUR_CF_ACCOUNT_ID"

where CF API Tokens require

1. Create your Cloudflare Token API with permissions for read access to Zone.Zone, and edit/write access to Zone.DNS, across all Zones.
2. Grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing

Continue reading...

123.09beta01 branch

• Branch: centminmod/centminmod
• Commit History: centminmod/centminmod

 

Also added a command option to check Cloudflare Global API key and API Tokens are working via acmetool.sh check_cfapi command.

Example when neither CF Globale API Key or API Tokens are setupin persistent config file at /etc/centminmod/custom_config.inc

Code (Text):

cd /usr/local/src/centminmod/addons
echo y | ./acmetool.sh check_cfapi

Verifying working Cloudflare DNS API Credentials
No Cloudflare Global API Key or API Token detected

If Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc

Code (Text):

CF_DNSAPI='y'
CF_Token="YOUR_CF_TOKEN"
CF_Account_ID="YOUR_CF_ACCOUNT_ID"

Code (Text):

cd /usr/local/src/centminmod/addons
echo y | ./acmetool.sh check_cfapi

Verifying working Cloudflare DNS API Credentials
CF API Tokens detected
Ok: CF API Token works

If Cloudflare Global API Key is set in persistent config file at /etc/centminmod/custom_config.inc

Code (Text):

CF_DNSAPI='y'
CF_KEY='YOUR_CF_GLOBAL_API_KEY'
CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

Code (Text):

cd /usr/local/src/centminmod/addons
echo y | ./acmetool.sh check_cfapi       

Verifying working Cloudflare DNS API Credentials
CF Global API Key detected
Ok: CF Global API works

If Both Cloudflare Global API key and Cloudflare API Token are set in persistent config file at /etc/centminmod/custom_config.inc, then acmetool.sh will use Cloudflare API Tokens

Code (Text):

CF_DNSAPI='y'
# api token
CF_Token="YOUR_CF_TOKEN"
CF_Account_ID="YOUR_CF_ACCOUNT_ID"
# global api key
CF_KEY='YOUR_CF_GLOBAL_API_KEY'
CF_EMAIL='YOUR_CF_ACCOUNT_EMAIL'

Code (Text):

cd /usr/local/src/centminmod/addons
echo y | ./acmetool.sh check_cfapi

Verifying working Cloudflare DNS API Credentials
CF API Tokens detected
Ok: CF API Token works

 

The check is just a check that Cloudflare API credentials are working and not a check that letsencrypt DNS validation is working.

This doesn't work in acme menu mode and only works with specific Cloudflare API DNS Mode for certonly-issue mode for standalone mode outside of any centmin.sh menu option 2, 22 or nv methods so not intended for your what you expected usage for centmin.sh menu option 2, 22 or nv

certonly-issue mode outlined here

 

actually you're right centmin.sh menu option 22 does support CF DNS API mode Don't remember how though - it's been a while - actually not too sure as I don't see it in acmetool.sh code I wrote. Guess will need to look it over again

You can verify letsencrypt acme.sh client's domain validation method via this command replace yourdomain.com in domain= variable with your wordpress domain and see what the output is

Code (Text):

domain=yourdomain.com
cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot                                  

output for traditional webroot domain authentication and not CF DNS would return output

Code (Text):

cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot                                  
Le_Webroot='/home/nginx/domains/yourdomain.com/public'

If using CF DNS mode would return a value = dns_cf

Code (Text):

cat /root/.acme.sh/$domain/$domain.conf | grep Le_Webroot
Le_Webroot='dns_cf'

 

Yes that is the long term plan to integrate with centmin.sh menu option 2, 22 and nv command. This update is one step closer to it

I didn't do it originally as I'm not fond of promoting using Cloudflare Global API key which is CF account wide. acme.sh client only supported CF Global API key initially which mean if your server is compromised and attacker finds your CF Global API key, they would have full control over all domains within your CF Account !!!! But now that acme.sh client supports CF API Tokens, you can restrict permissions to just DNS (yes still bad not as bad as full CF account control).

 

The other thing to consider is what if the intended Nginx domain you want letsencrypt for is on different Cloudflare accounts from a previous or future domain ? As acme.sh client which acmetool.sh uses only really supports one Cloudflare account at a time as far as I know. So that's one thing to consider versus using default web root authentication that is used right now.

Personally, I have a lot of domains spread across different Cloudflare accounts so there's a chance a Centmin Mod server hosting some domains that belong to more than one Cloudflare account. Though CF API Token seems to support multiple Cloudflare accounts if you create the CF API Token from a CF account which has invited admin access to multiple CF accounts.