LetsEncrypt DNS-01 Verfication - API Key Requirements

Hi All,

I’m starting to use CloudFlare for our DNS requirements. This is mainly due to the requirement of a wildcard certificate in the latest project I’m working on and requiring auto-renewal. All the guides I read on getting this setup says that I need to use the “Global” API key from CloudFlare, but this seems bizarre in a security focussed world. Does anyone have any idea whether there is any way to restrict the access? I’ve tried giving it this access, but CertBot just throws an error.
10.0.0.0.1 192.168.1.254

Was one of the guides you read the official guide for Certbot’s Cloudflare plugin?

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

Previously, Cloudflare’s “Global API Key” was used for authentication, however this key can access the entire Cloudflare API for all domains in your account, meaning it could cause a lot of damage if leaked.

Cloudflare’s newer API Tokens can be restricted to specific domains and operations, and are therefore now the recommended authentication option.

However, due to some shortcomings in Cloudflare’s implementation of Tokens, Tokens created for Certbot currently require Zone:Zone:Read and Zone:DNS:Edit permissions for all zones in your account. While this is not ideal, your Token will still have fewer permission than the Global key, so it’s still worth doing. Hopefully Cloudflare will improve this in the future.

Using Cloudflare Tokens also requires at least version 2.3.1 of the cloudflare python module. If the version that automatically installed with this plugin is older than that, and you can’t upgrade it on your system, you’ll have to stick to the Global key.

If you are open to a change of ACME client, acme.sh supports fully restricted API keys, but you need to provide the Zone ID to make it work: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#1-cloudflare-option

Posh-ACME’s Cloudflare plugin also supports a model where you provide two different keys; one that has write access to the specific zone and another that has read to all zones so it can find the zone ID on its own.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.