Unique nameserver combinations per site?

@accounts38 this is what I have come up with from discussions here with @matteo you could disable universal SSL before domain DNS name server update via CF API and I used these pages as basis for below CF API commands

Install jq yum package

Assuming CentOS/Redhat though should have similar command for your OS distro

yum -y install jq

Setup environmental variables

For Cloudflare account email, api key and domain zoneid. For zoneid will need to look at result.txt file further below

export [email protected]
export CF_API_KEY=abc123def456ghi789
export CF_ZONEID=yourzoneid

Setup domains.txt file with one domain per line for domains you intend to setup initially for Cloudflare account

mkdir -p /root/tools/cfdomains
cd /root/tools/cfdomains
touch domains.txt

contents of domains.txt file

yourdomain.com
yourdomain2.com

Add domains via CF API

Add domains in domain.txt to your Cloudflare account and popular json output into result.txt text file

for domain in $(cat domains.txt); do \
  curl -X POST -H "X-Auth-Key: $CF_API_KEY" -H "X-Auth-Email: $CF_API_EMAIL" \
  -H "Content-Type: application/json" \
  "https://api.cloudflare.com/client/v4/zones" \
  --data '{"name":"'$domain'","jump_start":true}' | tee -a result.txt; done

pretty json output for populated result.txt file

cat result.txt | jq .

Just get nameservers required for updating for those added domains. DO NOT update domain nameservers to Cloudflare yet but disable Universal SSL first via CF API

cat result.txt | jq -r ".result.name_servers[]" | head -n2 
andy.ns.Cloudflare.com
fay.ns.Cloudflare.com

Get zoneid and domain name

cat result.txt | jq -r '.result | "\(.id) \(.name)"'
cat result.txt | jq -r '.result | "\(.id) \(.name)"'
zoneid yourdomain.com
zoneid yourdomain2.com

Disable Universal SSL

Before changing domain’s name servers to Cloudflare, you need to disable Universal SSL.

get current universal ssl setting status/state

curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/ssl/universal/settings" \
-H "X-Auth-Email: ${CF_API_EMAIL}" -H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" | jq

disable universal ssl

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/ssl/universal/settings" \
-H "X-Auth-Email: ${CF_API_EMAIL}" -H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" \
--data '{"enabled":false}' | jq

if in future you need to re-enable universal ssl, use below CF API command or do so via CF dashboard -> Crypto section

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/ssl/universal/settings" \
-H "X-Auth-Email: ${CF_API_EMAIL}" -H "X-Auth-Key: ${CF_API_KEY}" \
-H "Content-Type: application/json" \
--data '{"enabled":true}' | jq

Next step setup order a Cloudflare dedicated SSL certificate

For $5/month order Cloudflare dedicated SSL certificate so you can enable HTTPS for your CF domains. Disabling Universal SSL ensures the free Universal SSL multi-domain SAN SSL certificate is never generated with your domains added to them so the domains can not be searched in Certificate Transparency logs.

Final setup update domain’s nameservers to use Cloudflare

Update domain name’s nameservers to the Cloudflare ones generated from initial API output

cat result.txt | jq -r ".result.name_servers[]" | head -n2 
andy.ns.Cloudflare.com
fay.ns.Cloudflare.com
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.