Get the most out of your Centmin Mod LEMP stack
Become a Member

Letsencrypt Cloudflare Get Free Letsencrypt SSL Certificates via Cloudflare DNS API Domain Verification

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Apr 12, 2022.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Instead of default webroot URL authentication, addons/acmetool.sh also now supports full Cloudflare DNS API domain validation for Letsencrypt SSL certificate issuance that can be optionally enabled variables for Cloudflare API Token is set in persistent config file at /etc/centminmod/custom_config.inc. Existing users need to run cmupdate command to get updated addons/acmetool.sh. Then add these 3 variables to their persistent config file at /etc/centminmod/custom_config.inc - create the file if it doesn't already exist.
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"



    Cloudflare API Tokens, requires you to create your Cloudflare Token API with permissions for read access to Zone.Zone, and edit/write access to Zone.DNS, across all Zones at https://dash.cloudflare.com/profile/api-tokens and to grab your Cloudflare Account ID from any of your Cloudflare domain's main dashboard's right side column listing.

    cf-zone-id-account-id-01.png

    cf-api-tokens-acme.sh-dns-00.png

    You can also lock down the Cloudflare API Token using Client IP Address Filtering, so when you create the Cloudflare API Token, you can list your domain's IPv4 and if applicable IPv6 server IP address. This will only allow the Cloudflare API Token you created to work on that specific server(s). If you have more than one server, you'd need to add those servers' IPv4 and IPv6 addresses too.

    Only one Cloudflare Account is supported, so intended domains need to be within same Cloudflare Account unless you have Cloudflare Account with invited administrator access to other Cloudflare Accounts and you can generate the CF API Token to include access to the other Cloudflare Accounts.
     
    Last edited: Apr 12, 2022
  2. eva2000

    eva2000 Administrator Staff Member

    53,614
    12,139
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,683
    Local Time:
    11:02 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If using Cloudflare DNS API validation and you get errors for invalid domain when Letsencrypt is doing domain validation, ensure you created your Cloudflare API Token with permissions for all your domain zones and not just specific domain zones. You can manually verify if the created Cloudflare API Token has permissions to add TXT DNS records for your domain using below manual curl commands to add a test TXT DNS record and verify the test TXT DNS record. You can then delete the test TXT DNS record from Cloudflare DNS dashboard.

    Manual testing, 1st populate these 4 variables with your relevant values and type the commands in SSH as root user on the Centmin Mod server
    Code (Text):
    # same value as your CF_Token you set in persistent config file
    cftoken='your_cf_api_token'
    domain_hostname='your_domain_name_without_www'
    txtmsg='your_txt_msg'
    

    Then type these commands to create test TXT DNS record and verify it
    Code (Text):
    # get zoneid for domain_hostname
    cfzoneid=$(curl -4sX GET "https://api.cloudflare.com/client/v4/zones/?name=${domain_hostname}&status=active&page=1&per_page=100&order=status&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d ${domain_hostname} '.result[] | select(.name == $d) | .id')
    
    # create test TXT DNS record
    curl -4sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records -H Content-Type:application/json -H "Authorization: Bearer $cftoken" --data "{\"type\":\"TXT\",\"name\":\"$domain_hostname\",\"content\":\"$txtmsg\",\"ttl\":120,\"proxied\":false}" | jq 'del(.result.zone_id)'
    
    # verify test TXT DNS record
    curl -4sX GET "https://api.cloudflare.com/client/v4/zones/$cfzoneid/dns_records?type=TXT&name=${domain_hostname}&page=1&per_page=100&order=type&direction=desc&match=all" -H Content-Type:application/json -H "Authorization: Bearer $cftoken" | jq -r --arg d $domain_hostname '.result[] | {id: .id, name: .name, type: .type, content: .content, proxiable: .proxiable, proxied: .proxied}'
    

    Post the output for both of the curl commands in CODE/CODEB bbcode tags.

    Further troubleshooting for Cloudflare DNS API Letsencrypt domain validation is to check that the SAVED_CF_Token id was updated/correct in acme.sh client's /root/.acme.sh/account.conf config file and matches what the CF_Token variable is set to in persistent config file at /etc/centminmod/custom_config.inc.

    You can inspect its contents filtered for SAVED_CF keyword using command
    Code (Text):
    cat /root/.acme.sh/account.conf | grep SAVED_CF

    No need to post contents just verify the SAVED_CF_Token is correct and SAVED_CF_Account_ID is correct and SAVED_CF_ZONE_ID variable is empty with no value
     
Thread Status:
Not open for further replies.