forked from TrueCloudLab/lego
78 lines
3.2 KiB
TOML
78 lines
3.2 KiB
TOML
Name = "Cloudflare"
|
|
Description = ''''''
|
|
URL = "https://www.cloudflare.com/dns/"
|
|
Code = "cloudflare"
|
|
Since = "v0.3.0"
|
|
|
|
Example = '''
|
|
CLOUDFLARE_EMAIL=foo@bar.com \
|
|
CLOUDFLARE_API_KEY=b9841238feb177a84330febba8a83208921177bffe733 \
|
|
lego --email myemail@example.com --dns cloudflare --domains my.example.org run
|
|
|
|
# or
|
|
|
|
CLOUDFLARE_DNS_API_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz \
|
|
lego --email myemail@example.com --dns cloudflare --domains my.example.org run
|
|
'''
|
|
|
|
Additional = '''
|
|
## Description
|
|
|
|
You may use `CF_API_EMAIL` and `CF_API_KEY` to authenticate, or `CF_DNS_API_TOKEN`, or `CF_DNS_API_TOKEN` and `CF_ZONE_API_TOKEN`.
|
|
|
|
### API keys
|
|
|
|
If using API keys (`CF_API_EMAIL` and `CF_API_KEY`), the Global API Key needs to be used, not the Origin CA Key.
|
|
|
|
Please be aware, that this in principle allows Lego to read and change *everything* related to this account.
|
|
|
|
### API tokens
|
|
|
|
With API tokens (`CF_DNS_API_TOKEN`, and optionally `CF_ZONE_API_TOKEN`),
|
|
very specific access can be granted to your resources at Cloudflare.
|
|
See this [Cloudflare announcement](https://blog.cloudflare.com/api-tokens-general-availability/) for details.
|
|
|
|
The main resources Lego cares for are the DNS entries for your Zones.
|
|
It also need to resolve a domain name to an internal Zone ID in order to manipulate DNS entries.
|
|
|
|
Hence, you should create an API token with the following permissions:
|
|
|
|
* Zone / Zone / Read
|
|
* Zone / DNS / Edit
|
|
|
|
You also need to scope the access to all your domains for this to work.
|
|
Then pass the API token as `CF_DNS_API_TOKEN` to Lego.
|
|
|
|
**Alternatively,** if you prefer a more strict set of privileges,
|
|
you can split the access tokens:
|
|
|
|
* Create one with *Zone / Zone / Read* permissions and scope it to all your zones.
|
|
This is needed to resolve domain names to Zone IDs and can be shared among multiple Lego installations.
|
|
Pass this API token as `CF_ZONE_API_TOKEN` to Lego.
|
|
* Create another API token with *Zone / DNS / Edit* permissions and set the scope to the domains you want to manage with a single Lego installation.
|
|
Pass this token as `CF_DNS_API_TOKEN` to Lego.
|
|
* Repeat the previous step for each host you want to run Lego on.
|
|
|
|
This "paranoid" setup is mainly interesting for users who manage many zones/domains with a single Cloudflare account.
|
|
It follows the principle of least privilege and limits the possible damage, should one of the hosts become compromised.
|
|
'''
|
|
|
|
[Configuration]
|
|
[Configuration.Credentials]
|
|
CF_API_EMAIL = "Account email"
|
|
CF_API_KEY = "API key"
|
|
CF_DNS_API_TOKEN = "API token with DNS:Edit permission (since v3.1.0)"
|
|
CF_ZONE_API_TOKEN = "API token with Zone:Read permission (since v3.1.0)"
|
|
CLOUDFLARE_EMAIL = "Alias to CF_API_EMAIL"
|
|
CLOUDFLARE_API_KEY = "Alias to CF_API_KEY"
|
|
CLOUDFLARE_DNS_API_TOKEN = "Alias to CF_DNS_API_TOKEN"
|
|
CLOUDFLARE_ZONE_API_TOKEN = "Alias to CF_ZONE_API_TOKEN"
|
|
[Configuration.Additional]
|
|
CLOUDFLARE_POLLING_INTERVAL = "Time between DNS propagation check"
|
|
CLOUDFLARE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
|
|
CLOUDFLARE_TTL = "The TTL of the TXT record used for the DNS challenge"
|
|
CLOUDFLARE_HTTP_TIMEOUT = "API request timeout"
|
|
|
|
[Links]
|
|
API = "https://api.cloudflare.com/"
|
|
GoClient = "https://github.com/cloudflare/cloudflare-go"
|