Is Cloudflare dnsapi a replacement for Letsencrypt?

I have a number of domains registered at Fasthosts with DNS A reccords pointing to external servers. Using Letsencrypt my only option was:

certbot certonly … --manual --preferred-challenges dns-01

… which involved manually adding the generated _acme-challenge values into the DNS control panel at Fasthosts. With a growing number of domains this became laborious so I moved the domains to Cloudflare DNS hoping to automate the TXT record modifications. If found dns_cf.sh at https://github.com/acmesh-official/acme.sh/tree/master/dnsapi but I can’t work-out how this can be used to work with my certbot process. Is it even a complete replacement for certbot/Letsencrypt?

It is not a replacement for Lets Encrypt, as it will still get Lets Encrypt certificates issued.

It is however a “replacement” for Certbot in the sense that it does the same, however does not require Python but runs straight off a Unix shell.

As far as the DNS API you linked to is concerned, there is a plugin for Cloudflare at https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_cf.sh, with a detailed explanation at https://github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option.

1 Like

I still don’t quite get how dns_cf.sh can be used for automation as the # usage line reads:

add _acme-challenge.www.domain.com “XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs”

… which implies that you have to generate the challenge string before you can call the script. What use is that for automation?

I discovered python2-certbot-dns-cloudflare for CentOS 7 but I still can’t automate this as the process is a variant of certbot certonly which is manual/interactive.

acme.sh client can automate Letsencrypt SSL cert issuance via CF and supported DNS providers’ APIs. I added acme.sh client support for my own Centmin Mod LEMP stack’s Nginx HTTPS/Letsencrypt automation via my addons/acmetool.sh wrapper script which can support both acme.sh’s webroot and CF DNS API issuance https://centminmod.com/acmetool/

example for CF DNS API issuance at https://community.centminmod.com/threads/official-acmetool-sh-testing-thread-for-centmin-mod-123-09beta01.8290/page-6#post-35135

./acmetool.sh certonly-issue acme9.domain1.com

-----------------------------------------------------------
[DNS mode] issue & install letsencrypt ssl certificate for acme9.domain1.com
-----------------------------------------------------------
/root/.acme.sh/acme.sh --staging --issue --dns dns_cf -d acme9.domain1.com -k 2048 --useragent centminmod-centos7-acmesh-dns
[Wed Aug 24 02:52:12 UTC 2016] Using stage api:https://acme-staging.api.letsencrypt.org
[Wed Aug 24 02:52:15 UTC 2016] Skip register account key
[Wed Aug 24 02:52:15 UTC 2016] Creating domain key
[Wed Aug 24 02:52:15 UTC 2016] Use length 2048
[Wed Aug 24 02:52:15 UTC 2016] Using RSA: 2048
[Wed Aug 24 02:52:16 UTC 2016] Single domain='acme9.domain1.com'
[Wed Aug 24 02:52:16 UTC 2016] Verify each domain
[Wed Aug 24 02:52:16 UTC 2016] Getting webroot for domain='acme9.domain1.com'
[Wed Aug 24 02:52:16 UTC 2016] Getting token for domain='acme9.domain1.com'
[Wed Aug 24 02:52:22 UTC 2016] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Wed Aug 24 02:52:24 UTC 2016] Adding record
[Wed Aug 24 02:52:25 UTC 2016] Added, sleeping 10 seconds
[Wed Aug 24 02:52:35 UTC 2016] Sleep 120 seconds for the txt records to take effect
[Wed Aug 24 02:54:35 UTC 2016] Verifying:acme9.domain1.com
[Wed Aug 24 02:54:46 UTC 2016] Success
[Wed Aug 24 02:54:46 UTC 2016] Verify finished, start to sign.
[Wed Aug 24 02:54:50 UTC 2016] Cert success.
-----BEGIN CERTIFICATE-----
MIIE7zCCA9egAwIBAgITAPoKDlcK8Dk/+aRR0yK19g/KFzANBgkqhkiG9w0BAQsF
...
F0fdQEY3Yy/bZ25S1N7pM+p7Cg==
-----END CERTIFICATE-----
[Wed Aug 24 02:54:50 UTC 2016] Your cert is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.cer
[Wed Aug 24 02:54:50 UTC 2016] Your cert key is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.key
[Wed Aug 24 02:54:51 UTC 2016] The intermediate CA cert is in  /root/.acme.sh/acme9.domain1.com/ca.cer
[Wed Aug 24 02:54:51 UTC 2016] And the full chain certs is there:  /root/.acme.sh/acme9.domain1.com/fullchain.cer

---------------------------------
DNS mode via Cloudflare DNS API
---------------------------------
setup TXT DNS record via Cloudflare API
Using stage api:https://acme-staging.api.letsencrypt.org
Skip register account key
Creating domain key
Use length 2048
Using RSA: 2048
Single domain='acme9.domain1.com'
Verify each domain
Getting webroot for domain='acme9.domain1.com'
Getting token for domain='acme9.domain1.com'
Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
Adding record
Added, sleeping 10 seconds
Sleep 120 seconds for the txt records to take effect
Verifying:acme9.domain1.com
Success
Verify finished, start to sign.
Cert success.
-----BEGIN CERTIFICATE-----
MIIE7zCCA9egAwIBAgITAPoKDlcK8Dk/+aRR0yK19g/KFzANBgkqhkiG9w0BAQsF
...
F0fdQEY3Yy/bZ25S1N7pM+p7Cg==
-----END CERTIFICATE-----
Your cert is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.cer
Your cert key is in  /root/.acme.sh/acme9.domain1.com/acme9.domain1.com.key
The intermediate CA cert is in  /root/.acme.sh/acme9.domain1.com/ca.cer
And the full chain certs is there:  /root/.acme.sh/acme9.domain1.com/fullchain.cer

as you can see CF DNS API adds the challenge TXT record automatically for verification

---------------------------------
DNS mode via Cloudflare DNS API
---------------------------------
setup TXT DNS record via Cloudflare API
Using stage api:https://acme-staging.api.letsencrypt.org
Skip register account key
Creating domain key
Use length 2048
Using RSA: 2048
Single domain='acme9.domain1.com'
Verify each domain
Getting webroot for domain='acme9.domain1.com'
Getting token for domain='acme9.domain1.com'
Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
Adding record
Added, sleeping 10 seconds
Sleep 120 seconds for the txt records to take effect
Verifying:acme9.domain1.com
Success
Verify finished, start to sign.
Cert success.

acme.sh client is a solid client I have been using for my Centmin Mod Nginx Letsencrypt integration for nearly 4 yrs now :slight_smile:

I am not sure where you took that idea from. That script fetches the string from Lets Encrypt and then saves it on Cloudflare.

Did you read the documentation I linked to? It is actually pretty short and yet describes the exact steps to have a certificate issued in the context of Cloudflare.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.