Install latest version of cloudflare-dns on ubuntu 20.04

bsutton · September 4, 2020, 3:03am

I’m building a docker container based on ubuntu 20.04 and certbot.

I’m trying to use the cloudflare dns plugin.

The plugin works fine for a cloudflare global token however cloudflare are now recommending that we use the restricted api token.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials

The cloudflare doco states that you need to use at least version 2.3.1 of the cloudflare plugin however ubuntu 20.04 only seems to have version 2.10.

Is there some way to upgrade the cloudflare plugin version?

I could in theory switch distros, my other dependencies are dart and nginx.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is certbot --version
certbot 0.40.0

griffin · September 4, 2020, 3:38am

Welcome to the Let’s Encrypt Community

I’m definitely not the most experienced here with the setup you’ve described, but I’ve been doing some research and have a couple things to offer that might be a start at the moment.

The certbot version packaged with your software is really outdated (0.40.0 vs 1.7.0):

_az · September 4, 2020, 3:41am

Ubuntu would need to upgrade their python3-cloudflare package to 2.3.1 or newer, when support for API Tokens was added. Currently packaged version is 2.1.0-0. OS packages typically take quite a long time to receive updates, so if you’re really dead set on using API tokens, consider an alternative installation method.

(Ubuntu 20.10 will have support when it comes out, but I wouldn’t hold my breath for 20.04 receiving that update).

As @griffin mentions, if you install Certbot and its DNS plugins from snaps, you will get the latest and greatest, including support for Cloudflare API tokens.

You can also look at other ACME clients which support Cloudflare’s API tokens, acme.sh for instance.

griffin · September 4, 2020, 3:43am

@_az

Thanks for the assist. The information you provided confirms that my research was on target. You know world’s more in this area than I do.

bsutton · September 4, 2020, 4:32am

Installing snap into a ubuntu container seems to be problematic as it needs systemd unless you have a link to some more detailed instructions.

At this point I’ve reverted to cloudflare global api keys.

_az · September 4, 2020, 4:55am

I see, fair enough. I think it's indeed the case that snaps probably rely on systemd right now.

~~Could you share which systemd-less flavor of Ubuntu you are using? Or if you have just replaced PID1 on your own? That could be useful info for the Certbot team.~~

Ah, I somehow entirely missed that you are using containers. Yes, snaps won't work there.

Since it is a container where everything is pinned, you could consider just using a Python virtualenv and installing Certbot and its DNS plugins into it using pip.

If the container does nothing but Certbot, there's also Docker.

system · October 4, 2020, 4:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.