Cloudflare API to disable protection = DNS ONLY?

eva2000 · December 7, 2015, 4:58am

For my Letsencrypt integration, i’ve now added cloudflare dns checks into it so can prompt users to disable Cloudflare protection for DNS only mode so they can validate their LE ssl certs via webroot authentictaion.

But was wondering if any Cloudflare users are aware of API commands that can be run to disable Cloudflare protection for DNS only mode ? I can’t seem to find any such option in Cloudflare’s API documentation ? If there is I can script it into the initial LE ssl cert validation as well as the auto renewal cronjob so can disable Cloudflare protection at API level for validation and re-enable protection once validated.

Any hints appreciated

George

eva2000 · December 7, 2015, 6:22am

not sure if zone security level = essentially_off switch from medium is the one I am looking for ?

for example

domain=
cfemail=
cfkey=

ZID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$domain" -H "X-Auth-Email: $cfemail" -H "X-Auth-Key: $cfkey" -H "Content-Type: application/json" | grep -Po '(?<="id":")[^"]*' | head -1)

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}/settings/security_level" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"value":"medium"}'

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}/settings/security_level" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"value":"essentially_off"}'

eva2000 · December 7, 2015, 6:37am

ok think i found it paused = true or false

https://api.cloudflare.com/#zone-edit-zone-properties

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"paused":false}'

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"paused":true}'

yup seems to be it !

paused = true via API call

Unfortunately, this might not be feasible for folks behind Cloudflare for protection/anti-DDOS reasons as you do not want to expose your origin server’s IP address even temporarily especially when folks can look up when your Letsencrypt SSL certificate is about to expire and needs renewal.

I wonder if you can setup a Cloudflare page rule to only allow .well-known urls to go through ?

My1 · December 7, 2015, 8:40am

wouldnt cloudflare have no problem with webrroot, the only problem where cf can be is tls-sni-01 because couldflare MITMs the cert. the rest usually goes through.

eva2000 · December 7, 2015, 8:57am

I see, so not a problem with webroot ! Guess I should test this

Anyway, hope the above helps other LE authentication methods

My1 · December 7, 2015, 9:17am

well webroot just tries to access a webpage and usually cf doesnt block that, unless you have under attack mode active where some script keeps you away for a bit which might be too much for the bot.

godfool · December 7, 2015, 2:56pm

I use Cloudflare and webroot auth, and have no problems.

eva2000 · December 7, 2015, 5:18pm

thanks for the confirmation !

jgrahamc · December 8, 2015, 8:02am

It’s not necessary to use disable CloudFlare to use Let’s Encrypt.

If you’re configuring Let’s Encrypt for the first time for a site already active on CloudFlare, all that is needed to successfully verify and obtain your certificate and private key pair is to use the webroot method for verification.

Download the Let’s Encrypt client and change to the download directory:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt/

Run the script for automatic installation:

./letsencrypt-auto

Using the letsencrypt client with the certonly command and the --webroot flag, we’re able to verify and obtain the cert/key pair using HTTP verification. An example command might look like:

/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --webroot-path /usr/share/nginx/html/ --renew-by-default --email email@host.tld --text --agree-tos -d example.tld -d www.example.tld

where

--webroot-path is the directory on your server where your site is located (nginx used in the example)
--renew-by-default selects renewal by default when domains are a superset of a previously attained cert
--email is the email used for registration and recovery contact.
--text displays text output
--agree-tos agrees to Let’s Encrypt’s Subscriber Agreement
-d specifies hostnames to add to the SAN.

Successful completion of this verification method will show text similar to the following:

IMPORTANT NOTES
- Congratulations! Your certificate and chain have been saved at 
/etc/letsencrypt/live/example.tld/fullchain.pem. Your cert will expire on 
2016-03-03. To obtain a new version of the certificate in the future, simply
run Let's Encrypt again.

As a note, both the cert and key will be saved to /etc/letsencrypt/live/example.tld/ . After both have been obtained, you’ll need to manually update your virtual host to use this key/cert pair.

eva2000 · December 8, 2015, 9:05am

cheers, yes i am using webroot for my integration http://centminmod.com/letsencrypt-freessl.html just didn’t test it first hand with cloudlfare so only went off on the basis of what i read on the forums