Minimum permissions required for letsencrypt certbot

breakaway · September 27, 2019, 12:32am

I am using cerbot - with the “–dns-cloudflare” plugin in order to use DNS verification to generate certificates.

I tried setting up a new API Token (not API Key) with edit zone permissions to the domain that I am using, however this does not work. When I put in my Global API Key - that works.

This seems somewhat insecure considering this key has access across my entire account.

Can anything be done to make certbot work with a API Token that is specific to that domain that I am trying to get a certificate for?

adaptive · September 27, 2019, 1:02am

The issue has been reported to certbot team

github.com/certbot/certbot

dns-cloudflare: Support API tokens

opened 11:58PM - 16 Jul 19 UTC

closed 11:25PM - 24 Jan 20 UTC

judge2020

feature request has pr area: dns

As per [this comment by Cloudflare staff](https://community.cloudflare.com/t/res…tricted-api-keys/13647/100?u=judge), the new API keys functionality is in open beta. The feature allows creating multiple separate API tokens for each application with fine-grain permissions the user can apply. I recommend support for these new tokens be added to Certbot. This feature uses a new authorization method: bearer tokens (specifically `Authorization: bearer :token`). ![](https://i.judge.sh/Tempest/qUYTibMu.png) Due to the change in the authentication method, certbot will have to account for users who were using the global API key previously, and users who want to use the global API key when setting up dns-cloudflare for the first time (since it's still in beta, I recommend keeping Global API key support). I made a PR for changing the API tokens link about a month ago - #7052 - and while that is still the correct URL (even now for the Global API key) more text or instruction is probably needed to have the user choose either the global API key or one of the new API tokens.

system · October 27, 2019, 1:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Judge · January 25, 2020, 1:59am

Certbot API tokens have been approved, slated for v1.2.0 https://github.com/certbot/certbot/pull/7583#pullrequestreview-348233049

Topic		Replies	Views
Permissions too open for our API? Feature Request Submitting & Feedback	2	2520	February 25, 2020
Which kind of API token for Letsencrypt certbot? DNS & Network	2	14507	April 11, 2021
Certbot-auto with API token issue DNS & Network	2	5115	April 17, 2020
New User - Can't create API token API	1	4203	September 3, 2020
Secure automated certbot DNS-01 validation? DNS & Network Account	5	3518	October 19, 2019

Minimum permissions required for letsencrypt certbot

Related topics