caddy-dns / cloudflare Goto Github PK

View Code? Open in Web Editor NEW

365.0 20.0 51.0 109 KB

Caddy module: dns.providers.cloudflare

License: Apache License 2.0

Go 100.00%

cloudflare's Introduction

Cloudflare module for Caddy

This package contains a DNS provider module for Caddy. It can be used to manage DNS records with Cloudflare accounts.

Caddy module name

dns.providers.cloudflare

Config examples

To use this module for the ACME DNS challenge, configure the ACME issuer in your Caddy JSON like so:

{
	"module": "acme",
	"challenges": {
		"dns": {
			"provider": {
				"name": "cloudflare",
				"api_token": "{env.CF_API_TOKEN}"
			}
		}
	}
}

or with the Caddyfile:

tls {
	dns cloudflare {env.CF_API_TOKEN}
}

You can replace {env.CF_API_TOKEN} with the actual auth token if you prefer to put it directly in your config instead of an environment variable.

Authenticating

See the associated README in the libdns package for important information about credentials.

NOTE: If migrating from Caddy v1, you will need to change from using a Cloudflare API Key to a scoped API Token. Please see link above for more information.

Troubleshooting

Error: `Invalid request headers`

If providing your API token via an ENV var which is accidentally not set/available when running Caddy, you'll receive this error from Cloudflare.

Double check that Caddy has access to a valid CF API token.

Error: `timed out waiting for record to fully propagate`

Some environments may have trouble querying the _acme-challenge TXT record from Cloudflare. Verify in the Cloudflare dashboard that the temporary record is being created.

If the record does exist, your DNS resolver may be caching an earlier response before the record was valid. You can instead configure Caddy to use an alternative DNS resolver such as Cloudflare's official 1.1.1.1.

Add a custom resolver to the tls directive:

tls {
  dns cloudflare {env.CF_API_TOKEN}
  resolvers 1.1.1.1
}

Or with Caddy JSON to the acme module: challenges.dns.provider.resolvers: ["1.1.1.1"].

cloudflare's People

Contributors

Stargazers

Watchers

Forkers

seboraid lscgzwd xorryk gema-arta androidacy-user francislavoie 0xflotus mbrcknl huwenhu2007 labulac polarathene shawnhank chris-thorn caiych hi-noikiy uetuluk pettijohn shik-tan knucklesnuclear2 tigefa4u netmanagers panda2134 var52yt atable danielphan2003 hijiki51 l3056573035 apple1d surfndez bwanner austin-s-h nagagolla filipjirsak ideaowl hk318 ackermann qosmio popcorn mrjosh devmls carloseduardoespisa rogervila chmey mohammed90 xelofan shrunbr crazytil southpaw-decoy nordcoreio prestonw

cloudflare's Issues

Issue with resolvers

Hi,
I'm having issue with resolvers, my caddyFile looks like:

[...]
tls {
   dns cloudflare MY_API_KEY
   resolvers 1.1.1.1
}

But I'm getting this error because IT blocks DNS requests except from 1.1.1.1.
"error": "[URL] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of "_acme-challenge.URL": dial tcp 108.162.195.175:53: i/o timeout

Building Doesn't work with the Latest Caddy Version 2.7.2

I'm getting this error:

#0 6.217 2023/08/14 10:02:33 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/[email protected]
#0 6.376 go: downloading github.com/caddy-dns/cloudflare v0.0.0-20230807034102-74f004e1c1ab
#0 6.445 go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20230807034102-74f004e1c1ab) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/[email protected]
#0 6.450 2023/08/14 10:02:33 [FATAL] exit status 1
------
failed to solve: process "/bin/sh -c xcaddy build     --with github.com/caddy-dns/cloudflare" did not complete successfully: exit code: 1

While building with the lates Caddy Image from Dockerhub (Which is 2.7.2) at the time of opening this issue.

My Dockerfile:

# Build Cloudflare DNS Package
FROM caddy:2-builder-alpine AS builder
RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

# Modify Binary from Main Package
FROM caddy:2-alpine
# Install envsubst (part of gettext package)
RUN apk add --no-cache gettext
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./Caddyfile /etc/caddy/Caddyfile

This is a serious bug, there is a mismatch between the package requirement, and the Dockerhub version release

Error: "solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil>"

First time trying out the DNS provider feature. Tried with Caddyfile as below with scoped API token passed in as ENV var.

Waited a while with nothing happening until an error occurred.
Quick glance through existing issues, doesn't appear to be an earlier issue about it.
While raising this issue, the third attempt was successful, taking about 10-30 minutes to be successful (reproduced multiple times).

Is this expected behaviour of the feature with Cloudflare, or is the time taken and earlier failures a possible problem?

Environment Details:

The apex domain (example.com, no subdomain) has a reverse proxy (Traefik) that runs on a different server handling several sub-domains and a CNAME wildcard for non-explicit subdomains.
The Caddy instance is a fresh 2.4 binary from the download page with the Cloudflare module added, run via a fresh instance of Fedora 34 on Vultr.
Unlike when running Caddy via Docker, Fedora additionally required running a firewall command to allow HTTP/HTTPS traffic. Prior to trying the Cloudflare DNS module, a different subdomain was already configured on Cloudflare to the Vultr Fedora VPS IP and regular LetsEncrypt which worked successfully.

Caddyfile:

{
  acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  email [email protected]
}

test.example.com {
  tls {
    dns cloudflare {env.CF_API_TOKEN}
  }

  root * /srv/site
  file_server
}

Caddy stdout log:

2021/05/22 06:18:10.447 INFO    serving initial configuration
2021/05/22 06:18:10.433 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2021/05/22 06:18:10.430 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000260460"}
2021/05/22 06:18:10.449 INFO    tls.obtain      acquiring lock  {"identifier": "test.example.com"}
2021/05/22 06:18:10.451 INFO    tls.obtain      lock acquired   {"identifier": "test.example.com"}

2021/05/22 06:18:10.452 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["test.example.com"]}
2021/05/22 06:18:10.452 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["test.example.com"]}
2021/05/22 06:18:10.454 INFO    tls     finished cleaning storage units
2021/05/22 06:18:12.092 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}

2021/05/22 06:20:15.996 INFO    tls.issuance.acme       waiting on internal rate limiter        {"identifiers": ["test.example.com"]}
2021/05/22 06:20:15.997 INFO    tls.issuance.acme       done waiting on internal rate limiter   {"identifiers": ["test.example.com"]}
2021/05/22 06:20:17.104 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}

2021/05/22 06:22:19.301 ERROR   tls.obtain      will retry      {"error": "[test.example.com] Obtain: [test.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/19618631/59618995) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 248.850234978, "max_duration": 2592000}

2021/05/22 06:23:20.908 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/05/22 06:25:24.293 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}

2021/05/22 06:27:25.852 ERROR   tls.obtain      will retry      {"error": "[test.example.com] Obtain: [test.example.com] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/19618631/59621711) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 2, "retrying_in": 120, "elapsed": 555.400860953, "max_duration": 2592000}

2021/05/22 06:29:28.604 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/05/22 06:29:31.836 INFO    tls.issuance.acme.acme_client   validations succeeded; finalizing order {"order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/19618631/59623852"}
2021/05/22 06:29:32.512 INFO    tls.issuance.acme.acme_client   successfully downloaded available certificate chains    {"count": 1, "first_url": "https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa59c8fe71cfcb679672d9cb9c6fda649b27"}
2021/05/22 06:29:32.514 INFO    tls.obtain      certificate obtained successfully       {"identifier": "test.example.com"}
2021/05/22 06:29:32.514 INFO    tls.obtain      releasing lock  {"identifier": "test.example.com"}

TL;DR

Is usage of this module expected to fail multiple times in a valid setup and take 10 minutes to be successful?

If not, could the cause be related to :

Server setup such as Fedora default security policies interfering?
Existing DNS configuration? (multiple servers for a given domain via A records on specific subdomains, and a * CNAME record to the A record of the apex domain example.com)

dns-01 challenge timed out

Similar to issues #28 #13 I am recently having issues renewing the caddy certs, but their fixes aren't working for me.

08:40:01 : {"level":"info","ts":1630917601.1305175,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"URL.TLD","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
08:42:17 : {"level":"info","ts":1630917737.0010695,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["URL.TLD"]}
08:42:17 : {"level":"info","ts":1630917737.0015578,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["URL.TLD"]}
08:42:19 : {"level":"info","ts":1630917739.3439322,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"URL.TLD","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
08:44:22 : {"level":"error","ts":1630917862.571245,"logger":"tls.renew","msg":"will retry","error":"[URL.TLD] Renew: [URL.TLD] solving challenges: waiting for solver certmagic.solverWrapper to be ready: timed out waiting for record to fully propagate; verify DNS provider configuration is correct - last error: <nil> (order=https://acme.zerossl.com/v2/DV90/order/y3th-e4qmVaHYssEQcd6VA) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":262.837809012,"max_duration":2592000}

I tried adding resolvers to my Caddyfile but see nothing new in the log. There is a txt acme challenge added to cloudflare so the API interaction seems to be OK...

Here's the Caddyfile, nothing I can see to be going wrong:

URL.TLD {
        tls {
                dns cloudflare <API_KEY>
        }
}

This setup used to work fine, I set it up about 6 months ago, and only now has it started causing issues (so I'm guessing the 90 day cert renewal must have worked OK at least once after setup). Only changes could be from a usual apt update of the LXC caddy is running in. I've not tried downgrading caddy/cloudflare package.

Thanks

caddy-dns / cloudflare is broken will not install

Hello;
Very new to github Have been trying to install Caddy multiple times. Believe the go.mod and go.sum have broken links in them. That is what is making the install fail. Thanks for your time. And have a great day.

Cannot Get Certificates

Recently trying to switch back to Caddy after my setup has altered enough to not need nginx anymore...anyway:

I cannot get any certificates at all:

{"level":"error","ts":1643740513.5424674,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"bib.actionsack.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for bib.actionsack.com (probably OK if presenting failed)"}
{"level":"error","ts":1643740513.5882883,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"bib.actionsack.com","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[bib.actionsack.com] solving challenges: presenting for challenge: adding temporary record for zone com.: expected 1 zone, got 0 for com. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/42609938/1687218458) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1643740513.5883076,"logger":"tls.obtain","msg":"will retry","error":"[bib.actionsack.com] Obtain: [bib.actionsack.com] solving challenges: presenting for challenge: adding temporary record for zone com.: expected 1 zone, got 0 for com. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/42609938/1687218458) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":2,"retrying_in":120,"elapsed":62.95889265,"max_duration":2592000}

This is an example for one subdomain. This happens for every single domain and subdomain (I have 2 domains and a ton of subdomains). In my global settings, I have:

{
  default_sni xnaas.info
  acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
  email {$ACMEEMAIL}
}

I was reading some other issues and tried setting Zone.Zone to Edit instead of Read, but that did not help.

I assume it's an API issue of some sort, since I don't see any TXT records being created...but unsure what the problem is. This same API key worked when I used Caddy many moons ago and has been working with nginx... 😅

Thoughts? Troubleshooting?

Edit: I've also tried setting a tls{} section specifying a resolver and such, but that caused more issues (400s and 403s), so that doesn't seem like the correct solution.

Edit 2: Actually, I switched to specifying this:

tls {$ACMEEMAIL} {
    ca https://acme-staging-v02.api.letsencrypt.org/directory
    dns cloudflare {$CLOUDFLARE_API_TOKEN}
    resolvers 1.0.0.1
  }

and now the logs are more like:

{"level":"error","ts":1643741780.2631567,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"dl.actionsack.com","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[dl.actionsack.com] solving challenges: presenting for challenge: adding temporary record for zone actionsack.com.: got error status: HTTP 403: [{Code:10000 Message:Authentication error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/42609938/1687346048) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
{"level":"error","ts":1643741780.2631755,"logger":"tls.obtain","msg":"will retry","error":"[dl.actionsack.com] Obtain: [dl.actionsack.com] solving challenges: presenting for challenge: adding temporary record for zone actionsack.com.: got error status: HTTP 403: [{Code:10000 Message:Authentication error}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/42609938/1687346048) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":21.856070745,"max_duration":2592000}

So it's definitely an API issue, I guess...but I'm not sure why.

Edit 3: curl -X GET "https://api.cloudflare.com/client/v4/zones?name=actionsack.com" -H "Content-Type:application/json" -H "Authorization: Bearer <token>" works just fine, as well.

Building with caddy from OMV terminal just gets exit status 2

I'm trying to download the cloudflare module but this is all I get, any ideas? (I have master version as suggested by others with this issue but as you can see it makes no difference)

root@Home:/Volume1# xcaddy build master --with github.com/caddy-dns/cloudflare
2023/08/21 23:15:57 [INFO] Temporary folder: /tmp/buildenv_2023-08-21-2315.42338895
2023/08/21 23:15:57 [INFO] Writing main module: /tmp/buildenv_2023-08-21-2315.42338895/main.go
package main

import (
        caddycmd "github.com/caddyserver/caddy/v2/cmd"

        // plug in Caddy modules here
        _ "github.com/caddyserver/caddy/v2/modules/standard"
        _ "github.com/caddy-dns/cloudflare"
)

func main() {
        caddycmd.Main()
}
2023/08/21 23:15:57 [INFO] Initializing Go module
2023/08/21 23:15:57 [INFO] exec (timeout=0s): /usr/bin/go mod init caddy
go: creating new go.mod: module caddy
2023/08/21 23:15:57 [INFO] Pinning versions
2023/08/21 23:15:57 [INFO] exec (timeout=0s): /usr/bin/go get -d -v github.com/caddyserver/caddy/v2@master
go: github.com/caddyserver/caddy/v2 master => v2.7.5-0.20230820145103-38a7b6b3d0e1
2023/08/21 23:16:03 [INFO] exec (timeout=0s): /usr/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/v2@master
go: github.com/caddy-dns/cloudflare upgrade => v0.0.0-20230807034102-74f004e1c1ab
2023/08/21 23:16:08 [INFO] exec (timeout=0s): /usr/bin/go get -d -v
2023/08/21 23:16:13 [INFO] Build environment ready
2023/08/21 23:16:13 [INFO] Building Caddy
2023/08/21 23:16:13 [INFO] exec (timeout=0s): /usr/bin/go mod tidy -e
flag provided but not defined: -e
usage: go mod tidy [-v]
Run 'go help mod tidy' for details.
2023/08/21 23:16:13 [INFO] Cleaning up temporary folder: /tmp/buildenv_2023-08-21-2315.42338895
2023/08/21 23:16:13 [FATAL] exit status 2

Certificate for private ip

Up to late september i was using cloudflare dns to get certifacte for my homelab on my local network, 192.168.0.xxx.
But now when caddy want to refresh certificate i get the following error.

In cloudflare dashboard i had setup
A record for lab.example.com and ip to 192.168.0.113

{"level":"error","ts":1668018453.8717525,"logger":"tls.renew","msg":"could not get certificate from issuer","identifier":"lab.example.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:dns - no valid A records found for lab.example.com; no valid AAAA records found for lab.example.com"}

My Caddyfile

# vim: ft=caddyfile
(cloudflare) {
	tls [email protected] {
        dns cloudflare (env.CLOUDFLARE_API_TOKEN)
        resolvers 1.1.1.1 1.0.0.1
	}
}

{env.DOMAIN} {
	import cloudflare
	encode zstd gzip
	handle_path /kosync/* {
		reverse_proxy kosync:8081
	}
	root * /srv/web
	handle {
		file_server {
			precompressed br zstd gzip
		}
	}
}

wallabag.{env.DOMAIN} {
	import cloudflare
	reverse_proxy wallabag:80
}

Fatal error build with windows using master with latest release

xcaddy build master --with github.com/caddy-dns/cloudflare

Using
go version go1.21.5 windows/amd64

2023/12/20 13:35:27 [INFO] exec (timeout=0s): C:\Program Files\Go\bin\go.exe get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/v2@master
go: github.com/caddy-dns/[email protected] requires
        github.com/caddyserver/caddy/[email protected], but v2.7.6-0.20231218231151-1bf72db6ff65 is requested
go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20231217194038-7b8ded472344) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/v2@master (v2.7.6-0.20231218231151-1bf72db6ff65)
2023/12/20 13:35:27 [FATAL] exit status 1

https://i.imgur.com/1iOWgtn.png

Using second latest commit works for now?

xcaddy build master --with github.com/caddy-dns/cloudflare@737bf003fe8af81814013a01e981dc8faea44c07

HTTP 403 from CloudFlare during DNS challenge

Hello,

When I run:
sudo caddy run -config TestCaddyfile -adapter caddyfile

I get this error:
acme: error presenting token: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token' requires permission 'com.cloudflare.api.account.zone.list' to list zones}]

My TestCaddyfile content is:

[domain] {
    tls {
         dns cloudflare [token]
    }
}

Token permission on CloudFlare:

When I run CURL using the token in bash, I can successfully get all the zone information.

Is there anything I can do to further debug where things are going wrong?

[enhancement] Add caddyfile example to docs and readme

Small request, I couldn't find the correct syntax for the directive myself (until reading the source code), and so I'm making this small issue about it.

[Feature Request] Please consider tagging this repo to Caddy versions

I hesitate to file this issue, as my intent is to not be petty or passive aggressive, and it will probably be received that way due to how the previous discussion ended. However, @mholt, I think you missed the intent of my comment before the discussion was locked, and I believe this is a valid request for myself and many users.

Indeed, caddy:latest should not be used in production, but this plugin does not currently do any sort of version tracking at all. That means it is not possible to do this:

FROM caddy:2.7.2-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/[email protected]

FROM caddy:2.7.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Instead, I must do this:

FROM caddy:2.7.2-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare@a9d3ae2690a1d232bc9f8fc8b15bd4e0a6960eec

FROM caddy:2.7.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

I could also omit the commit hash, but that will cause dependency issues the other way around.

Basically, there will be people who will want to use this plugin on a specific version of Caddy, and you do not provide a tagging scheme for those people, short of digging through the commit history of this repo, and identifying the best version to use on a version of Caddy.

You stated you do not use Docker, but this issue is not unique to Docker. It is no different than a user wanting to run xcaddy build on their own.

Will a tagging scheme for this repo be considered? Or at the very least, a table of commit hashes corresponding to the oldest versions of Caddy they are compatible with?

If users are going to be expected to dig through the commit history to do versioning, then I'd like that to be explicitly stated so there is no confusion.

Compiled Caddy 2.0.0 with this module but TLS handshake error during challenge

I have used xcaddy to compile a customized Caddy 2 with this caddy-dns/cloudflare module. Running caddy list-modules reveals the presence of dns.providers.cloudflare. Caddyfile was setup correctly with tls { dns cloudflare api_token }, where api_token is the Cloudflare API Token. caddy -validate confirms the Caddyfile is good.

Below are the error messages from systemd journal, (CF CDN was set to enabled during this time):

2020/05/06 06:28:59 [ERROR] error: one or more domains had a problem:
May 06 06:28:59 austin caddy[27755]: [dllm.com] [dllm.com] acme: error presenting token: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}]
May 06 06:28:59 austin caddy[27755]:  (challenge=dns-01 remaining=[])
May 06 06:29:01 austin caddy[27755]: 2020/05/06 06:29:01 [ERROR] attempt 1: [dllm.com] Obtain: [dllm.com] error: one or more domains had a problem:
May 06 06:29:01 austin caddy[27755]: [dllm.com] [dllm.com] acme: error presenting token: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}]
May 06 06:29:01 austin caddy[27755]:  - retrying in 1m0s (2.671103756s/720h0m0s elapsed)...
May 06 06:29:01 austin caddy[27755]: 2020/05/06 06:29:01 http: TLS handshake error from [2400:cb00:35:1024::ac45:8662]:25722: no certificate available for 'dllm.com'
May 06 06:29:01 austin caddy[27755]: 2020/05/06 06:29:01 http: TLS handshake error from [2400:cb00:35:1024::a29e:a7b7]:47448: no certificate available for 'dllm.com'
May 06 06:29:03 austin caddy[27755]: 2020/05/06 06:29:03 http: TLS handshake error from [2400:cb00:12:1024::ac45:2219]:36592: no certificate available for 'dllm.com'

When reverting back to the standard HTTP challenge (after disabling CDN mode from CF), or downgrading to 1.0.4 (with a different systemd service file), the site is able to come up, passing all LE challenges.

Split DNS issue

Hello,

i am having issues obtaning certs with DNS challenge (only with Caddy, not with certbot) due to a split horizon dns config.

the subdomain int.mydomain.com is resolved locally, and on the local dns server config (unbound) there is an override to resolve the *.int.mydomain.com locally (needed to allow not only local machines but also machines connected with a VPN to resolve local domains).

If I try to obtain a certificate using the cloudflare dns challenge for a domain that is service.int.mydomain.com I get this error
solving challenges: presenting for challenge: could not determine zone for domain.

If I remove the local override in unbound everything works perfectly but I can't really do that or I'd break the dns resolving for remote machines.

Just to add, certbot works even with the local dns override.

DNS challenge TXT record not being removed

Hello

Just started working with Caddy, and with the Cloudflare plugin.

I was able to get the setup correct in that: the _acme-challenge TXT record is created, and a SSL cert is obtained.

But the plugin is not able to remove the _acme-challenge TXT record.

The log reports:

{"level":"error","ts":1635957602.852264,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"*.mysite.org","challenge_type":"dns-01","error":"deleting temporary record for zone mysite.org.: Delete \"https://api.cloudflare.com/client/v4/zones/<long number>/dns_records/<different long number>": context canceled"}

I've verified that the API Token used is set to:

Zone:Zone:Read
Zone:DNS:Edit

which should be OK, since the challenge record was created, right?

Any pointer as to where to look?

Specs:
custom build of Caddy v2.4.5 with the Cloudflare DNS plugin downloaded from the Caddy site.
Ubuntu 20.04 Server
Caddy installed from the PPA, then the caddy executable overwritten with the custom build
Caddy running as a service

Thanks!

Source API token from file

This is similar to an earlier issue, which closed by using caddy run --envfile /path/to/secret to have Caddy treat the secret as an ENV file.

That --envfile solution does allow for run-time ENV fetching with {env.CF_API_TOKEN} to reference the ENV var only accessible from the Caddy process (and thus not leaked to anything else running within the container that can access the ENV or outside the container via commands like docker inspect). Without the env placeholder I think it embeds the ENV in the generated Caddyfile / JSON output.

This works for regular Caddy, but plugins that run with a command like caddy docker-proxy don't support such.

Would it make sense to support similar functionality to the runtime env placeholder, but instead providing the file path to read the contents of the file as a value, such as for dns cloudflare <file_path>?

This issue could be migrated further upstream if there is interest.

malformed module path "https:/github.com/caddy-dns/cloudflare": invalid char ':'

Reproduction

~> xcaddy build --with https://github.com/caddy-dns/cloudflare
2023/08/08 21:40:10 [INFO] Temporary folder: /tmp/buildenv_2023-08-08-2140.523772377
2023/08/08 21:40:10 [INFO] Writing main module: /tmp/buildenv_2023-08-08-2140.523772377/main.go
package main

import (
caddycmd "github.com/caddyserver/caddy/v2/cmd"

// plug in Caddy modules here
_ "github.com/caddyserver/caddy/v2/modules/standard"
_ "https://github.com/caddy-dns/cloudflare"
)

func main() {
caddycmd.Main()
}
2023/08/08 21:40:10 [INFO] Initializing Go module
2023/08/08 21:40:10 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go mod init caddy
go: creating new go.mod: module caddy
go: to add module requirements and sums:
go mod tidy
2023/08/08 21:40:10 [INFO] Pinning versions
2023/08/08 21:40:10 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go get -d -v github.com/caddyserver/caddy/v2
go: added github.com/beorn7/perks v1.0.1
go: added github.com/caddyserver/caddy/v2 v2.7.3
go: added github.com/caddyserver/certmagic v0.19.1
go: added github.com/cespare/xxhash/v2 v2.2.0
go: added github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
go: added github.com/golang/mock v1.6.0
go: added github.com/golang/protobuf v1.5.3
go: added github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
go: added github.com/google/uuid v1.3.0
go: added github.com/klauspost/cpuid/v2 v2.2.5
go: added github.com/libdns/libdns v0.2.1
go: added github.com/matttproud/golang_protobuf_extensions v1.0.1
go: added github.com/mholt/acmez v1.2.0
go: added github.com/miekg/dns v1.1.55
go: added github.com/onsi/ginkgo/v2 v2.9.5
go: added github.com/prometheus/client_golang v1.14.0
go: added github.com/prometheus/client_model v0.3.0
go: added github.com/prometheus/common v0.37.0
go: added github.com/prometheus/procfs v0.8.0
go: added github.com/quic-go/qpack v0.4.0
go: added github.com/quic-go/qtls-go1-20 v0.3.1
go: added github.com/quic-go/quic-go v0.37.3
go: added github.com/zeebo/blake3 v0.2.3
go: added go.uber.org/multierr v1.11.0
go: added go.uber.org/zap v1.25.0
go: added golang.org/x/crypto v0.11.0
go: added golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
go: added golang.org/x/mod v0.11.0
go: added golang.org/x/net v0.12.0
go: added golang.org/x/sys v0.10.0
go: added golang.org/x/term v0.10.0
go: added golang.org/x/text v0.11.0
go: added golang.org/x/tools v0.10.0
go: added google.golang.org/protobuf v1.31.0
2023/08/08 21:40:13 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go get -d -v https://github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/v2
go: malformed module path "https:/github.com/caddy-dns/cloudflare": invalid char ':'
2023/08/08 21:40:13 [FATAL] exit status 1

Environment

go: 1.18
xcaddy 0.3.5
caddy 2.6.4
Arch Linux 6.1.39-1-lts

Caddy Github Repo Link

It seems as though all files are referencing github.com/caddyserver/caddy/v2 but the repo is now just github.com/caddyserver/caddy

I can't build due to this error:

 > [caddy builder 2/2] RUN xcaddy build     --with github.com/caddy-dns/cloudflare:
0.200 2023/07/10 00:24:28 [INFO] Temporary folder: /tmp/buildenv_2023-07-10-0024.1790002365
0.200 2023/07/10 00:24:28 [INFO] Writing main module: /tmp/buildenv_2023-07-10-0024.1790002365/main.go
0.200 package main
0.200
0.200 import (
0.200   caddycmd "github.com/caddyserver/caddy/v2/cmd"
0.200
0.200   // plug in Caddy modules here
0.200   _ "github.com/caddyserver/caddy/v2/modules/standard"
0.200   _ "github.com/caddy-dns/cloudflare"
0.200 )
0.200
0.200 func main() {
0.200   caddycmd.Main()
0.200 }
0.200 2023/07/10 00:24:28 [INFO] Initializing Go module
0.200 2023/07/10 00:24:28 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go mod init caddy
0.203 go: creating new go.mod: module caddy
0.204 go: to add module requirements and sums:
0.204   go mod tidy
0.205 2023/07/10 00:24:28 [INFO] Pinning versions
0.205 2023/07/10 00:24:28 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/[email protected]
10.22 go: github.com/caddyserver/caddy/[email protected]: Get "https://proxy.golang.org/github.com/caddyserver/caddy/v2/@v/v2.6.4.info": dial tcp: lookup proxy.golang.org on 10.10.10.1:53: read udp 172.17.0.2:46834->10.10.10.1:53: i/o timeout
10.22 2023/07/10 00:24:38 [FATAL] exit status 1
------
failed to solve: process "/bin/sh -c xcaddy build     --with github.com/caddy-dns/cloudflare" did not complete successfully: exit code: 1

Can you use this to create non-proxied DNS entries?

The docs for this module are very scarce. My understanding is that this is used to create the TXT record that help create the LetsEncrypt certificates by validating ownership of a domain. Correct?

Could this module be used to create non-proxied CloudFlare DNS records for a setup that uses a custom certificate and key?

[Newbie] What's the need of Cloudflare Dns

Hi, I'm new to caddy and I'm trying to understand why do I need to cloudflare dns as I can access all my services via subdomain and I just forwarded 80 and 443 ports on my router. So what's the need for this module?

My domain is from cloudflare and I also added my dns records. I'm also using cloudflareddns to keep my ip address upto date.

Could you please help me out because I'm not sure what I'm missing.

Thank you

error getting certificate for sub-subdomain

When I try to get a certificate for an address like a.b.c.com instead of just b.c.com, it fails. I'm using v2.2.0-rc.1. Not sure if this is a bug or if I'm missing something in the configuration.

Caddyfile:

foo.bar.baz.com {
    tls [email protected] {
        dns cloudflare my-api-key-goes-here
        ca https://acme-staging-v02.api.letsencrypt.org/directory
    }
}

Gives the error:

2020/08/12 23:33:19 [INFO] [foo.bar.baz.com] acme: use dns-01 solver
2020/08/12 23:33:19 [INFO] [foo.bar.baz.com] acme: Preparing to solve DNS-01
2020/08/12 23:33:20 [INFO] [foo.bar.baz.com] acme: Cleaning DNS-01 challenge
2020/08/12 23:33:20 [WARN] [foo.bar.baz.com] acme: cleaning up failed: no memory of presenting a DNS record for foo.bar.baz.com 
2020/08/12 23:33:20 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/93420171
2020/08/12 23:33:20 [ERROR] error: one or more domains had a problem:
[foo.bar.baz.com] [foo.bar.baz.com] acme: error presenting token: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.c8a1af1c44011cc50326adf273f7413c' requires permission 'com.cloudflare.api.account.zone.read' to list zones}]
 (challenge=dns-01 remaining=[])
2020/08/12 23:33:22 [ERROR] attempt 1: [foo.bar.baz.com] Obtain: [foo.bar.baz.com] error: one or more domains had a problem:
[foo.bar.baz.com] [foo.bar.baz.com] acme: error presenting token: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.c8a1af1c44011cc50326adf273f7413c' requires permission 'com.cloudflare.api.account.zone.read' to list zones}]
 - retrying in 1m0s (3.988028658s/720h0m0s elapsed)...

The API key I'm using has the required Zone.Zone and Zone.DNS permissions, and everything works as it should if I change the hostname to bar.baz.com in the Caddyfile. I can also use this same API key with another ACME client (acme.sh) and sucessfully get a certificate for foo.bar.baz.com.

On a side note, Caddy v1 also had problems with this config, it would print a message like:

[foo.bar.baz.com] [foo.bar.baz.com] acme: error presenting token: cloudflare: failed to find zone bar.baz.com.: Zone could not be found

p.s, thanks for Caddy, I haven't used v2 much yet, but v1 has been wonderfully easy to configure and stable.

Build failed with golang 1.21

Builded with golang 1.21, the build crash :

191.0 /go/pkg/mod/github.com/quic-go/[email protected]/internal/handshake/crypto_setup.go:362:37: cannot use h.allow0RTT (variable of type bool) as tls.QUICSessionTicketOptions value in argument to h.conn.SendSessionTicket

I think we need quic-go 0.37.4 no ? quic-go/quic-go#4021

Deploying a caddy+cloudflare image

As mentioned in issue 24 it's simple enough to create a custom build of caddy including the cloudflare module. Is there any interest to also ship an official version as part of the range of caddy?

It would be convenient if you only had to do a docker pull docker.io/caddy:cloudflare

DNS: unrecognized directive in caddyfile

When using the example in the readme, caddy crashes with

run: adapting config using caddyfile: /etc/caddy/Caddyfile:12: unrecognized directive: dns

caddy list-modules show

...
dns.providers.cloudflare
...

got error status: HTTP 400: [{Code:6003 Message:Invalid request headers} (env persist)

Following config

*.domain.net {
        tls [email protected] {
                dns cloudflare {env.DOMAIN_NET_CF_AUTH_TOKEN}
        }
}

*.domain.org {
        tls [email protected] {
                dns cloudflare {env.DOMAIN_ORG_CF_AUTH_TOKEN}
        }
}

command : docker exec caddy-caddy-1 env output :

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=dfbc180dde13
DOMAIN_ORG_CF_AUTH_TOKEN=2c..........da
ACME_AGREE=true
DOMAIN_NET_CF_AUTH_TOKEN=2c2bc.......da
CADDY_VERSION=v2.5.1
XDG_CONFIG_HOME=/config
XDG_DATA_HOME=/data
HOME=/root

in logs :

{"level":"error","ts":1653122085.059477,"logger":"tls.obtain","msg":"will retry","error":"[*.domain.org] Obtain: [*.domain.org] solving challenges: presenting for challenge: adding temporary record for zone domain.org.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/54810104/2635600154) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":5,"retrying_in":600,"elapsed":618.239939337,"max_duration":2592000}
{"level":"error","ts":1653122085.1282437,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.domain.net","issuer":"acme-staging-v02.api.letsencrypt.org-directory","error":"[*.domain.net] solving challenges: presenting for challenge: adding temporary record for zone domain.net.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/54810104/2635600194) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}

Error: "no memory of presenting a DNS record", "Code:6003 Message: Invalid request headers"

While debugging the DNS challenge failures in #28, I accidentally ran caddy run without passing the ENV for the CF API token and got the error:

2021/05/22 08:35:52.545 INFO    tls.issuance.acme.acme_client   trying to solve challenge       {"identifier": "test.example.com", "challenge_type": "dns-01", "ca": "https://acme-staging-v02.api.letsencrypt.org/directory"}
2021/05/22 08:35:52.754 ERROR   tls.issuance.acme.acme_client   cleaning up solver      {"identifier": "test.example.com", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for test.example.com (probably OK if presenting failed)"}
2021/05/22 08:35:53.261 ERROR   tls.obtain      will retry      {"error": "[test.example.com] Obtain: [test.example.com] solving challenges: presenting for challenge: adding temporary record for zone example.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/19618631/59694492) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 5.817538962, "max_duration": 2592000}

This has been noted as an error sent from Cloudflare Invalid request headers, although that isn't evident in the log and requires searching the error online.

Would be useful if the module could recognize that as potentially due to providing an empty token value? (since I provided an environment var to use that wasn't set when running Caddy)

Initially I thought I had hit some rate limit on Cloudflare or LetsEncrypt staging and would have to wait several hours.

Formatting looks OK but getting "Invalid request headers"

Hey there,

A little while ago my Vaultwarden instance stopped working. I checked the web frontend and the interface was down with (first a CloudFlare host error, and playing with it made it change into) an invalid SSL certificate.

Here are the logs, truncated for brevity:

caddy          | {"level":"info","ts":1654723317.160815,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
caddy          | {"level":"error","ts":1654723317.2791078,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for linode-vaultwarden.spikespaz.com (probably OK if presenting failed)"}
caddy          | {"level":"error","ts":1654723317.36962,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"linode-vaultwarden.spikespaz.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-v02.api.letsencrypt.org/acme/order/411258510/96010725016) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
caddy          | {"level":"info","ts":1654723317.372098,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["linode-vaultwarden.spikespaz.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"[email protected]"}
caddy          | {"level":"info","ts":1654723317.3731222,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["linode-vaultwarden.spikespaz.com"],"ca":"https://acme.zerossl.com/v2/DV90","account":"[email protected]"}
caddy          | {"level":"info","ts":1654723325.842115,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy          | {"level":"error","ts":1654723325.9414904,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for linode-vaultwarden.spikespaz.com (probably OK if presenting failed)"}
caddy          | {"level":"error","ts":1654723329.863269,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"linode-vaultwarden.spikespaz.com","issuer":"acme.zerossl.com-v2-DV90","error":"[linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/V9_HdrdzKjVUHDrqGQw_ew) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy          | {"level":"error","ts":1654723329.8633559,"logger":"tls.obtain","msg":"will retry","error":"[linode-vaultwarden.spikespaz.com] Obtain: [linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/V9_HdrdzKjVUHDrqGQw_ew) (ca=https://acme.zerossl.com/v2/DV90)","attempt":1,"retrying_in":60,"elapsed":13.350819347,"max_duration":2592000}
caddy          | {"level":"info","ts":1654723390.2530217,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","ca":"https://acme-staging-v02.api.letsencrypt.org/directory"}
caddy          | {"level":"error","ts":1654723390.3825397,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for linode-vaultwarden.spikespaz.com (probably OK if presenting failed)"}
caddy          | {"level":"error","ts":1654723390.4436834,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"linode-vaultwarden.spikespaz.com","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/51143733/2796180054) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)"}
caddy          | {"level":"info","ts":1654723397.8965223,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","ca":"https://acme.zerossl.com/v2/DV90"}
caddy          | {"level":"error","ts":1654723398.0058784,"logger":"tls.issuance.acme.acme_client","msg":"cleaning up solver","identifier":"linode-vaultwarden.spikespaz.com","challenge_type":"dns-01","error":"no memory of presenting a DNS record for linode-vaultwarden.spikespaz.com (probably OK if presenting failed)"}
caddy          | {"level":"error","ts":1654723400.164129,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"linode-vaultwarden.spikespaz.com","issuer":"acme.zerossl.com-v2-DV90","error":"[linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/-n9DujCE-i07QAZ-deyQlg) (ca=https://acme.zerossl.com/v2/DV90)"}
caddy          | {"level":"error","ts":1654723400.1642082,"logger":"tls.obtain","msg":"will retry","error":"[linode-vaultwarden.spikespaz.com] Obtain: [linode-vaultwarden.spikespaz.com] solving challenges: presenting for challenge: adding temporary record for zone spikespaz.com.: got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}] (order=https://acme.zerossl.com/v2/DV90/order/-n9DujCE-i07QAZ-deyQlg) (ca=https://acme.zerossl.com/v2/DV90)","attempt":2,"retrying_in":120,"elapsed":83.65167139,"max_duration":2592000}

The Caddyfile:

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  tls {$EMAIL} {
      dns cloudflare {$CLOUDFLARE_API_TOKEN}
  }

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  header {
       # Enable HTTP Strict Transport Security (HSTS)
       Strict-Transport-Security "max-age=31536000;"
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "DENY"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
       # Server name removing
       -Server
  }

  # Notifications redirected to the WebSocket server
  reverse_proxy /notifications/hub vaultwarden:3012

  # Proxy everything else to Rocket
  reverse_proxy vaultwarden:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}

Lastly the docker-compose.yaml:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - DOMAIN=https://linode-vaultwarden.spikespaz.com
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=false
      - ADMIN_TOKEN=password1234!
      - LOG_FILE=/data/vaultwarden.log
    volumes:
      - /home/adminuser/config/vaultwarden:/data

  caddy:
    image: spikespaz/caddy-with-cloudflare:latest-alpine
    container_name: caddy
    restart: always
    ports:
      - 8080:8080
      - 443:443
    volumes:
      - /home/adminuser/config/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - /home/adminuser/config/caddy/config:/config
      - /home/adminuser/config/caddy/data:/data
    environment:
      - DOMAIN=https://linode-vaultwarden.spikespaz.com
      - CLOUDFLARE_API_TOKEN=v1.0-1914e277-e85c-4020-9452-692e114e6446
      - [email protected]
      - LOG_FILE=/data/access.log

  fail2ban:
    image: crazymax/fail2ban:latest
    container_name: fail2ban
    restart: always
    network_mode: 'host'
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    volumes:
      - /home/adminuser/config/fail2ban:/data
      - /home/adminuser/config/vaultwarden:/vaultwarden:ro
      - /var/log:/var/log:ro
    environment:
      - F2B_LOG_TARGET=/data/fail2ban.log
      - F2B_DB_PURGE_AGE=60d
      - F2B_IPTABLES_CHAIN=INPUT

  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_CLEANUP=true

Building with xcaddy fails

I tried to build caddy with this plugin using xcaddy but it failed.

Command used:

xcaddy build  --with github.com/caddy-dns/cloudflare

Output:

2020/08/08 15:21:00 [INFO] Temporary folder: /tmp/buildenv_2020-08-08-1521.391743880
2020/08/08 15:21:00 [INFO] Writing main module: /tmp/buildenv_2020-08-08-1521.391743880/main.go
2020/08/08 15:21:00 [INFO] Initializing Go module
2020/08/08 15:21:00 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init caddy 
go: creating new go.mod: module caddy
2020/08/08 15:21:00 [INFO] Pinning versions
2020/08/08 15:21:00 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/[email protected] 
go: downloading github.com/caddyserver/caddy/v2 v2.1.1
go: downloading go.uber.org/zap v1.15.0
go: downloading golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
go: downloading github.com/caddyserver/certmagic v0.11.2
go: downloading go.uber.org/atomic v1.6.0
go: downloading go.uber.org/multierr v1.5.0
go: downloading github.com/go-acme/lego/v3 v3.7.0
go: downloading github.com/klauspost/cpuid v1.3.0
go: downloading golang.org/x/sys v0.0.0-20200413165638-669c56c373c4
go: downloading gopkg.in/square/go-jose.v2 v2.4.0
go: downloading github.com/cenkalti/backoff/v4 v4.0.0
go: downloading github.com/miekg/dns v1.1.27
go: downloading golang.org/x/net v0.0.0-20200625001655-4c5254603344
go: downloading golang.org/x/text v0.3.2
2020/08/08 15:21:34 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/cloudflare 
go: downloading github.com/caddy-dns/cloudflare v0.0.0-20200807233547-c4ab2c801158
go: github.com/caddy-dns/cloudflare upgrade => v0.0.0-20200807233547-c4ab2c801158
go: downloading github.com/caddyserver/caddy/v2 v2.1.2-0.20200807181229-65a09524c392
go: downloading github.com/libdns/cloudflare v0.0.0-20200528144945-97886e7873b1
go: downloading github.com/libdns/libdns v0.0.0-20200501023120-186724ffc821
go: downloading golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
go: downloading github.com/caddyserver/certmagic v0.11.3-0.20200730200704-7d9dfc3fe638
go: downloading github.com/mholt/acmez v0.1.0
go: downloading github.com/miekg/dns v1.1.30
go: downloading golang.org/x/net v0.0.0-20200707034311-ab3426394381
2020/08/08 15:21:41 [INFO] Build environment ready
2020/08/08 15:21:41 [INFO] Building Caddy
2020/08/08 15:21:41 [INFO] exec (timeout=0s): /usr/local/go/bin/go build -o /build/caddy -ldflags -w -s -trimpath 
go: downloading github.com/smallstep/certificates v0.15.0-rc.1.0.20200506212953-e855707dc274
go: downloading github.com/klauspost/compress v1.10.10
go: downloading github.com/google/cel-go v0.5.1
go: downloading google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98
go: downloading github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
go: downloading github.com/go-chi/chi v4.1.2+incompatible
go: downloading github.com/lucas-clemente/quic-go v0.17.3
go: downloading github.com/smallstep/truststore v0.9.6
go: downloading github.com/smallstep/nosql v0.3.0
go: downloading github.com/marten-seemann/qpack v0.1.0
go: downloading google.golang.org/protobuf v1.25.0
go: downloading github.com/golang/protobuf v1.4.1
go: downloading github.com/cheekybits/genny v1.0.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/francoispqt/gojay v1.2.13
go: downloading github.com/dgraph-io/badger v1.5.3
go: downloading github.com/yuin/goldmark v1.2.1
go: downloading github.com/smallstep/cli v0.14.6
go: downloading github.com/marten-seemann/qtls v0.9.1
go: downloading github.com/dgraph-io/badger/v2 v2.0.1-rc1.0.20200413122845-09dd2e1a4195
go: downloading github.com/go-sql-driver/mysql v1.5.0
go: downloading github.com/Masterminds/sprig/v3 v3.1.0
go: downloading github.com/dgraph-io/ristretto v0.0.2-0.20200115201040-8f368f2f2ab3
go: downloading github.com/mitchellh/copystructure v1.0.0
go: downloading github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
go: downloading github.com/naoina/toml v0.1.1
go: downloading github.com/alecthomas/chroma v0.8.0
go: downloading github.com/mitchellh/reflectwalk v1.0.0
go: downloading gopkg.in/natefinch/lumberjack.v2 v2.0.0
go: downloading github.com/huandu/xstrings v1.3.1
go: downloading github.com/naoina/go-stringutil v0.1.0
go: downloading github.com/cespare/xxhash v1.1.0
go: downloading github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2
go: downloading github.com/google/uuid v1.1.1
go: downloading go.etcd.io/bbolt v1.3.2
go: downloading github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
go: downloading github.com/manifoldco/promptui v0.3.1
go: downloading gopkg.in/yaml.v2 v2.3.0
go: downloading github.com/dlclark/regexp2 v1.2.0
go: downloading github.com/spf13/cast v1.3.1
go: downloading github.com/Masterminds/semver v1.4.2
go: downloading github.com/Masterminds/semver/v3 v3.1.0
go: downloading github.com/urfave/cli v1.22.2
go: downloading github.com/imdario/mergo v0.3.8
go: downloading github.com/golang/snappy v0.0.1
go: downloading github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f
go: downloading github.com/jsternberg/zap-logfmt v1.2.0
go: downloading github.com/cpuguy83/go-md2man v1.0.10
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.0
go: downloading github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a
go: downloading github.com/mattn/go-colorable v0.1.6
go: downloading github.com/lunixbochs/vtclean v1.0.0
go: downloading github.com/mattn/go-isatty v0.0.12
go: downloading github.com/russross/blackfriday v1.5.2
go: downloading github.com/russross/blackfriday/v2 v2.0.1
go: downloading github.com/samfoo/ansi v0.0.0-20160124022901-b6bd2ded7189
go: downloading github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964
go: downloading github.com/Masterminds/goutils v1.1.0
go: downloading github.com/AndreasBriese/bbloom v0.0.0-20190306092124-e2d15f34fcf9
go: downloading github.com/shurcooL/sanitized_anchor_name v1.0.0
go: downloading github.com/rs/xid v1.2.1
go: downloading github.com/sirupsen/logrus v1.4.2
go: downloading cloud.google.com/go v0.54.0
go: downloading google.golang.org/grpc v1.27.1
go: downloading github.com/googleapis/gax-go v2.0.0+incompatible
go: downloading google.golang.org/api v0.20.0
go: downloading github.com/googleapis/gax-go/v2 v2.0.5
go: downloading golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
go: downloading go.opencensus.io v0.22.3
go: downloading github.com/google/go-cmp v0.5.0
go: downloading github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
# github.com/smallstep/certificates/authority/provisioner
/go/pkg/mod/github.com/smallstep/[email protected]/authority/provisioner/jwk.go:155:24: assignment mismatch: 3 variables but x509util.SplitSANs returns 4 values
/go/pkg/mod/github.com/smallstep/[email protected]/authority/provisioner/x5c.go:197:24: assignment mismatch: 3 variables but x509util.SplitSANs returns 4 values
2020/08/08 15:22:32 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-08-08-1521.391743880
2020/08/08 15:22:32 [FATAL] exit status 2

Is it something that I am doing wrongly?

EDIT: I was able to build a Dockerfile using caddy:builder image. If anyone's interested: https://github.com/mr-karan/caddy-plugins-docker

Example of docker execution

Could you provide a docker-compose to use caddy and cloudflare?

Latest dependencies update broke caddy builder

It seems the required version tag 2.7.3 does not exist for caddy builder, it only goes up to 2.7.2 which was fine until #54 a little bit ago, my build is now failing with:

#0 20.14 2023/08/07 18:00:39 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/[email protected]
#0 20.94 go: downloading github.com/caddy-dns/cloudflare v0.0.0-20230807034102-74f004e1c1ab
#0 21.36 go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20230807034102-74f004e1c1ab) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/[email protected]
#0 21.37 2023/08/07 18:00:41 [FATAL] exit status 1
------
failed to solve: executor failed running [/bin/sh -c xcaddy build --with github.com/caddy-dns/cloudflare]: exit code: 1

My Dockerfile looks like so:

FROM caddy:builder AS builder

RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Thanks for the project!

Feature Request

In caddy 1.x , users can add the "wildcard" subdirective in caddyfile, and caddy will get a wildcard certificate. This feature is very very helpful if your domain have many subdomains.
Could please add this feature back to caddy2 ?

Specify Zone ID

First, thanks for this plugin and Caddy 2. Its my first time playing with it and I'm really impressed. The ease I got a certificate for a non-public-facing service was fantastic. No more juggling an Nginx install and getting the LE client + CF going!

Secondly. I class this more of a limitation in the Cloudflare API permissions but it would be fantastic if you could provide a Zone ID for a domain so the Write/Edit permission across all domains isn't required to use this plugin. This way I could API keys with just edit permissions for the domains that I'm creating certificates for.

Again, thanks for the awesome piece of software!

Missing API token results in unintuitve error message

For some reason my Caddy wasn't picking up ENV variables. So when the DNS challenge was made I got this error message: solving challenges: presenting for challenge: adding temporary record for zone \"mydomain.com.\": got error status: HTTP 400: [{Code:6003 Message:Invalid request headers}]. At first that made me think that Cloudflare's API had been updated to require a different header or something. But in fact it was just that it was probably sending an empty API token.

It's not a big deal, happy to see this closed immediately. The main thing is that the error message is searchable, and might save somebody 5 minutes of head scratching.

Can modules be installed to an existing caddy installation?

I didn't use xcaddy or caddyserver.com/download - wondering if there's an alternative technique to install this module?

Dependencies with caddy 2.7.3 should be 2.7.2

Hi, i have this problem on build:

go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20230807034102-74f004e1c1ab) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/[email protected]

but in caddy docker hub i only find 2.7.2, maybe because caddy 2.7.2 not exist yet

https://hub.docker.com/_/caddy

Error on adding temporary record

Hi! When trying to get a certificate with a not publicly available server I get this error:

"logger":"tls.obtain","msg":"will retry","error":"[ABC.DEF.de] Obtain: [ABC:DEF.de] solving challenges: presenting for challenge: adding temporary record for zone de.: expected 1 zone, got 0 for de.

Caddyfile:

sub1.domain.de {
        reverse_proxy /* frontend:3001
        reverse_proxy /api/* backend:3000
        reverse_proxy /swagger backend:3000
        reverse_proxy /spec backend:3000
}
sub2.domain-dev.de {
        tls {
                dns cloudflare TOKEN
                resolvers 8.8.8.8
        }

        reverse_proxy /* frontend:3001
        reverse_proxy /api/* backend:3000
        reverse_proxy /swagger backend:3000
        reverse_proxy /spec backend:3000
}

The first domain works fine when publicly available for the ACME challenges, but the second won't work.

Dockerfile:

FROM caddy:2-builder-alpine AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare


FROM caddy:2-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile .

CMD ["caddy", "run"]

Cloudflare token settings:

I tried setting the image version to 2.2.1, as I found other dockerfiles that got it running with that one, but it didn't work for me.
Is this extension still supported? What am I doing wrong?

unrecognized directive: dns

Hello,

I'm getting this error:

Error: adapting config using caddyfile: /etc/caddy/Caddyfile:24: unrecognized directive: dns

Caddyfile:

{
    log {
        output file /var/log/caddy/caddy.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
    }
    servers 127.0.0.1:5001 {
        listener_wrappers {
            proxy_protocol
        }
        protocols h2c h1
    }
}

:5001 {
    root * /srv/http/default
    file_server
    bind 127.0.0.1
}

tls {
       dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
       resolvers 1.1.1.1
}


:80 {
    redir https://{host}{uri} permanent
}

How comes it doesn't recognise it?

Thank you

Error building with cloudflare dns and xcaddy (i/o timeout)

Hi and thanks for helping to maintain an awesome service! I have been running into some issues building caddy with cloudflare dns enabled. I've set up my Dockerfile for caddy and I'm running it from a docker-compose yaml.
This might be related to #11 , but the actual error is different and pinning the latest versions fails. I'll also try specifically with 2.2

FROM caddy:2.6.2-builder AS builder

RUN xcaddy build master --with github.com/caddy-dns/cloudflare@latest

FROM caddy:2.6.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

[+] Building 11.1s (7/8)
 => [internal] load build definition from Dockerfile                                                                                       0.0s
 => => transferring dockerfile: 220B                                                                                                       0.0s 
 => [internal] load .dockerignore                                                                                                          0.0s 
 => => transferring context: 2B                                                                                                            0.0s 
 => [internal] load metadata for docker.io/library/caddy:2.6.2                                                                             0.5s
 => [internal] load metadata for docker.io/library/caddy:2.6.2-builder                                                                     0.5s 
 => CACHED [stage-1 1/2] FROM docker.io/library/caddy:2.6.2@sha256:39f1da8bd9f6405dc7f085062d532aee5abb3cb64a7526c5f468e15aa2525f89        0.0s
 => CACHED [builder 1/2] FROM docker.io/library/caddy:2.6.2-builder@sha256:bc8001ca9fc81b64f12b6ef7475733c075d5a4241fe7492691ab22307396d5  0.0s 
 => ERROR [builder 2/2] RUN xcaddy build master --with github.com/caddy-dns/cloudflare@latest                                             10.5s 
------
 > [builder 2/2] RUN xcaddy build master --with github.com/caddy-dns/cloudflare@latest:
#0 0.424 2022/12/28 14:13:24 [INFO] Temporary folder: /tmp/buildenv_2022-12-28-1413.85243573
#0 0.424 2022/12/28 14:13:24 [INFO] Writing main module: /tmp/buildenv_2022-12-28-1413.85243573/main.go
#0 0.424 package main
#0 0.424 
#0 0.424 import (
#0 0.424        caddycmd "github.com/caddyserver/caddy/v2/cmd"
#0 0.424
#0 0.424        // plug in Caddy modules here
#0 0.424        _ "github.com/caddyserver/caddy/v2/modules/standard"
#0 0.424        _ "github.com/caddy-dns/cloudflare"
#0 0.424 )
#0 0.424
#0 0.424 func main() {
#0 0.424        caddycmd.Main()
#0 0.424 }
#0 0.424 2022/12/28 14:13:24 [INFO] Initializing Go module
#0 0.424 2022/12/28 14:13:24 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init caddy
#0 0.430 go: creating new go.mod: module caddy
#0 0.432 go: to add module requirements and sums:
#0 0.432        go mod tidy
#0 0.433 2022/12/28 14:13:24 [INFO] Pinning versions
#0 0.433 2022/12/28 14:13:24 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/v2@master
#0 10.45 go: github.com/caddyserver/caddy/v2@master: invalid version: Get "https://proxy.golang.org/github.com/caddyserver/caddy/v2/@v/master.info": dial tcp: lookup proxy.golang.org on 192.168.65.5:53: read udp 172.17.0.2:54138->192.168.65.5:53: i/o timeout
#0 10.45 2022/12/28 14:13:34 [FATAL] exit status 1
------
failed to solve: executor failed running [/bin/sh -c xcaddy build master --with github.com/caddy-dns/cloudflare@latest]: exit code: 1

could not determine the zone

2022/07/06 02:09:58.974 ERROR   tls.obtain      could not get certificate from issuer   {"identifier": "test.masx200.top", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "[test.masx200.top] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.masx200.top: could not determine the zone: unexpected response code 'SERVFAIL' for 7ux4q93992xmjqv8388a.dcv2.httpsauto.com. (order=https://acme-v02.api.letsencrypt.org/acme/order/619340006/104179459486) (ca=https://acme-v02.api.letsencrypt.org/directory)"}
2022/07/06 02:09:58.975 ERROR   tls.obtain      will retry      {"error": "[test.masx200.top] Obtain: [test.masx200.top] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.test.masx200.top: could not determine the zone: unexpected response code 'SERVFAIL' for 7ux4q93992xmjqv8388a.dcv2.httpsauto.com. (order=https://acme-v02.api.letsencrypt.org/acme/order/619340006/104179459486) (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 29.786988, "max_duration": 2592000}

failed to compile caddy2 with cloudflare dns plugin

root@ubuntu-persoonal-cloud:~/go/caddy2# xcaddy build --with github.com/caddy-dn s/cloudflare
2020/08/28 12:57:57 [INFO] Temporary folder: /tmp/buildenv_2020-08-28-1257.92788 7518
2020/08/28 12:57:57 [INFO] Writing main module: /tmp/buildenv_2020-08-28-1257.92 7887518/main.go
2020/08/28 12:57:57 [INFO] Initializing Go module
2020/08/28 12:57:57 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init cad dy
go: creating new go.mod: module caddy
2020/08/28 12:57:57 [INFO] Pinning versions
2020/08/28 12:57:57 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v git hub.com/caddyserver/caddy/v2
go: github.com/caddyserver/caddy/v2 upgrade => v2.1.1
2020/08/28 12:57:59 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v git hub.com/caddy-dns/cloudflare
go: github.com/caddy-dns/cloudflare upgrade => v0.0.0-20200811180534-4494da72fa5 6
2020/08/28 12:58:01 [INFO] Build environment ready
2020/08/28 12:58:01 [INFO] Building Caddy
2020/08/28 12:58:01 [INFO] exec (timeout=0s): /usr/local/go/bin/go build -o /roo t/go/caddy2/caddy -ldflags -w -s -trimpath

github.com/smallstep/certificates/authority/provisioner

/root/go/pkg/mod/github.com/smallstep/[email protected] -e855707dc274/authority/provisioner/jwk.go:155:24: assignment mismatch: 3 variab les but x509util.SplitSANs returns 4 values
/root/go/pkg/mod/github.com/smallstep/[email protected] -e855707dc274/authority/provisioner/x5c.go:197:24: assignment mismatch: 3 variab les but x509util.SplitSANs returns 4 values
2020/08/28 12:58:02 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-08-2 8-1257.927887518

Applicable to internal sites?

Is this approach suitable for internal/intranet sites?

I set an example: internal.dabase.com to my machine's IP address 192.168.1.19 and it failed with No valid IP addresses

https://s.natalian.org/2021-03-26/no-valid-ip-address.mp4

openshift logging

why do not support .cf .ml .tk

why do not support .cf .ml .tk?

Unable to read zone

Hello,

I've built Caddy with the dns cloudflare module, but when setup with the DNS challenge, I get the following issue:

caddy caddy[366]: {"level":"error","ts":1597289488.5149934,"logger":"tls.obtain","msg":"will retry","error":"[subdomain.example.com] Obtain: [subdomain.example.com] solving challenges: presenting for challenge: adding temporary record for zone co.: got error status: HTTP 403: [{Code:0 Message:Actor 'com.cloudflare.api.token.xxxxxxxxxxxxxxxxxxxxxx' requires permission 'com.cloudflare.api.account.zone.read' to list zones}] (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":2.603871005,"max_duration":2592000}

I've tried all sorts of api token config and finally just made a token with access to all resources, but still getting this error. When Googling I can't find anything referencing the specific "com.cloudflare.api.account.zone.read".

I checked Cloudflares API resources and they note there is a 'Zone.Read' under 'Accounts' but it doesn't appear available in my Cloudflare API settings.

I'm not sure where to go from here?

Docker builds fail due to requirement for unreleased Caddy version

Following the documentation for installing a provider to the Caddy docker image https://registry.hub.docker.com/_/caddy results in the following Dockerfile

FROM caddy:2.7-builder-alpine AS builder
RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:2.7-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile

However this fails with a verbose go error.

 > [caddy builder 2/2] RUN xcaddy build     --with github.com/caddy-dns/cloudflare:
1.684 2023/08/09 10:36:59 [INFO] Temporary folder: /tmp/buildenv_2023-08-09-1036.1122905880
1.687 2023/08/09 10:36:59 [INFO] Writing main module: /tmp/buildenv_2023-08-09-1036.1122905880/main.go
1.687 package main
1.687 
1.687 import (
1.687 	caddycmd "github.com/caddyserver/caddy/v2/cmd"
1.687 
1.687 	// plug in Caddy modules here
1.687 	_ "github.com/caddyserver/caddy/v2/modules/standard"
1.687 	_ "github.com/caddy-dns/cloudflare"
1.687 )
1.687 
1.687 func main() {
1.687 	caddycmd.Main()
1.687 }
1.688 2023/08/09 10:36:59 [INFO] Initializing Go module
1.694 2023/08/09 10:36:59 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go mod init caddy 
1.710 go: creating new go.mod: module caddy
1.714 go: to add module requirements and sums:
1.714 	go mod tidy
1.720 2023/08/09 10:36:59 [INFO] Pinning versions
1.720 2023/08/09 10:36:59 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/[email protected] 
1.855 go: downloading github.com/caddyserver/caddy/v2 v2.7.2
2.361 go: downloading github.com/caddyserver/certmagic v0.19.1
2.362 go: downloading github.com/google/uuid v1.3.0
2.362 go: downloading github.com/prometheus/client_golang v1.14.0
2.455 go: downloading github.com/quic-go/quic-go v0.37.1
2.482 go: downloading go.uber.org/zap v1.25.0
2.588 go: downloading golang.org/x/sys v0.10.0
2.743 go: downloading golang.org/x/term v0.10.0
2.867 go: downloading github.com/klauspost/cpuid/v2 v2.2.5
2.874 go: downloading github.com/libdns/libdns v0.2.1
2.922 go: downloading github.com/mholt/acmez v1.2.0
2.993 go: downloading github.com/miekg/dns v1.1.55
2.993 go: downloading github.com/zeebo/blake3 v0.2.3
3.053 go: downloading golang.org/x/crypto v0.11.0
3.054 go: downloading golang.org/x/net v0.12.0
3.199 go: downloading github.com/beorn7/perks v1.0.1
3.200 go: downloading github.com/cespare/xxhash/v2 v2.2.0
3.229 go: downloading github.com/cespare/xxhash v1.1.0
3.235 go: downloading github.com/golang/protobuf v1.5.3
3.267 go: downloading github.com/prometheus/client_model v0.3.0
3.320 go: downloading github.com/prometheus/common v0.37.0
3.397 go: downloading github.com/prometheus/procfs v0.8.0
3.397 go: downloading google.golang.org/protobuf v1.31.0
3.504 go: downloading go.uber.org/multierr v1.11.0
3.548 go: downloading github.com/quic-go/qpack v0.4.0
3.582 go: downloading github.com/golang/mock v1.6.0
3.582 go: downloading github.com/onsi/ginkgo/v2 v2.9.5
3.740 go: downloading golang.org/x/tools v0.10.0
3.900 go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.1
3.901 go: downloading golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
3.964 go: downloading golang.org/x/text v0.11.0
4.614 go: downloading golang.org/x/mod v0.11.0
4.702 go: downloading github.com/quic-go/qtls-go1-20 v0.3.0
5.213 go: downloading github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
5.288 go: downloading github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
10.04 go: added github.com/beorn7/perks v1.0.1
10.04 go: added github.com/caddyserver/caddy/v2 v2.7.2
10.04 go: added github.com/caddyserver/certmagic v0.19.1
10.04 go: added github.com/cespare/xxhash/v2 v2.2.0
10.04 go: added github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
10.04 go: added github.com/golang/mock v1.6.0
10.04 go: added github.com/golang/protobuf v1.5.3
10.04 go: added github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
10.04 go: added github.com/google/uuid v1.3.0
10.04 go: added github.com/klauspost/cpuid/v2 v2.2.5
10.04 go: added github.com/libdns/libdns v0.2.1
10.04 go: added github.com/matttproud/golang_protobuf_extensions v1.0.1
10.04 go: added github.com/mholt/acmez v1.2.0
10.04 go: added github.com/miekg/dns v1.1.55
10.04 go: added github.com/onsi/ginkgo/v2 v2.9.5
10.04 go: added github.com/prometheus/client_golang v1.14.0
10.04 go: added github.com/prometheus/client_model v0.3.0
10.04 go: added github.com/prometheus/common v0.37.0
10.04 go: added github.com/prometheus/procfs v0.8.0
10.04 go: added github.com/quic-go/qpack v0.4.0
10.04 go: added github.com/quic-go/qtls-go1-20 v0.3.0
10.04 go: added github.com/quic-go/quic-go v0.37.1
10.04 go: added github.com/zeebo/blake3 v0.2.3
10.04 go: added go.uber.org/multierr v1.11.0
10.04 go: added go.uber.org/zap v1.25.0
10.04 go: added golang.org/x/crypto v0.11.0
10.04 go: added golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
10.04 go: added golang.org/x/mod v0.11.0
10.04 go: added golang.org/x/net v0.12.0
10.04 go: added golang.org/x/sys v0.10.0
10.04 go: added golang.org/x/term v0.10.0
10.04 go: added golang.org/x/text v0.11.0
10.04 go: added golang.org/x/tools v0.10.0
10.04 go: added google.golang.org/protobuf v1.31.0
10.04 2023/08/09 10:37:08 [INFO] exec (timeout=-2562047h47m16.854775808s): /usr/local/go/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/[email protected] 
10.25 go: downloading github.com/caddy-dns/cloudflare v0.0.0-20230807034102-74f004e1c1ab
10.35 go: github.com/caddy-dns/cloudflare@upgrade (v0.0.0-20230807034102-74f004e1c1ab) requires github.com/caddyserver/caddy/[email protected], not github.com/caddyserver/caddy/[email protected]
10.35 2023/08/09 10:37:08 [FATAL] exit status 1
------
failed to solve: process "/bin/sh -c xcaddy build     --with github.com/caddy-dns/cloudflare" did not complete successfully: exit code: 1

A little delving has shown that the issue is that despite me specifying the caddy version via docker tag the xcaddy resolver is fetching a version of caddy-dns/cloudflare that requires a newer version of Caddy than is currently available on Dockerhub https://registry.hub.docker.com/_/caddy

Caddyfile not reading environment for api token

I have added my cloudflare token to my environment, however my caddyfile will not read api from the environment and gives me an error.

Caddyfile:

s1.example.com {
tls {
	dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
encode gzip

root * /var/www/s1.example.com
file_server
}

Env output:

taubin@s1:~$ printenv
SHELL=/bin/bash
PWD=/home/taubin
LOGNAME=taubin
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/taubin
LANG=en_US.UTF-8
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=xterm-256color
LESSOPEN=| /usr/bin/lesspipe %s
USER=taubin
SHLVL=1
CLOUDFLARE_API_TOKEN=REDACTED BUT CONFIRMED
XDG_SESSION_ID=3
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=203.86.205.64 55532 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
SSH_TTY=/dev/pts/0
_=/usr/bin/printenv

Error message in status:

taubin@s1:~$ sudo systemctl status caddy
● caddy.service - Caddy
     Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2020-06-03 04:37:43 CEST; 3s ago
       Docs: https://caddyserver.com/docs/
    Process: 1075 ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile (code=exited, status=1/FAILURE)
   Main PID: 1075 (code=exited, status=1/FAILURE)

Jun 03 04:37:43 s1.example.com caddy[1075]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Jun 03 04:37:43 s1.example.com caddy[1075]: HOME=/var/lib/caddy
Jun 03 04:37:43 s1.example.com caddy[1075]: LOGNAME=caddy
Jun 03 04:37:43 s1.example.com caddy[1075]: USER=caddy
Jun 03 04:37:43 s1.example.com caddy[1075]: INVOCATION_ID=3e57708803144dc18e107cd1258c7875
Jun 03 04:37:43 s1.example.com caddy[1075]: JOURNAL_STREAM=9:23889
Jun 03 04:37:43 s1.example.com caddy[1075]: {"level":"info","ts":1591151863.9883575,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jun 03 04:37:43 s1.example.com caddy[1075]: run: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /etc/caddy/Caddyfile:8 - Error during parsing: missing API token
Jun 03 04:37:43 s1.example.com systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jun 03 04:37:43 s1.example.com systemd[1]: caddy.service: Failed with result 'exit-code'.

If I change the {env.CLOUDFLARE_API_TOKEN} to the actual token, it works just fine. I'm sure it's just something stupid I'm doing, but I haven't been able to resolve it.

Fails to build: cannot use h.allow0RTT (variable of type bool) as tls.QUICSessionTicketOptions

I've ran xcaddy build --with github.com/caddy-dns/cloudflare on latest go (1.21.0 linux/amd64) and it fails because of quic-go for some reason (I assume generic types error?):

2023/08/08 21:57:39 [INFO] Temporary folder: /tmp/buildenv_2023-08-08-2157.3516867617
2023/08/08 21:57:39 [INFO] Writing main module: /tmp/buildenv_2023-08-08-2157.3516867617/main.go
package main

import (
caddycmd "github.com/caddyserver/caddy/v2/cmd"

// plug in Caddy modules here
_ "github.com/caddyserver/caddy/v2/modules/standard"
_ "github.com/caddy-dns/cloudflare"
)

func main() {
caddycmd.Main()
}
2023/08/08 21:57:39 [INFO] Initializing Go module
2023/08/08 21:57:39 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go mod init caddy
go: creating new go.mod: module caddy
go: to add module requirements and sums:
go mod tidy
2023/08/08 21:57:39 [INFO] Pinning versions
2023/08/08 21:57:39 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go get -d -v github.com/caddyserver/caddy/v2
go: added github.com/beorn7/perks v1.0.1
go: added github.com/caddyserver/caddy/v2 v2.7.3
go: added github.com/caddyserver/certmagic v0.19.1
go: added github.com/cespare/xxhash/v2 v2.2.0
go: added github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572
go: added github.com/golang/mock v1.6.0
go: added github.com/golang/protobuf v1.5.3
go: added github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1
go: added github.com/google/uuid v1.3.0
go: added github.com/klauspost/cpuid/v2 v2.2.5
go: added github.com/libdns/libdns v0.2.1
go: added github.com/matttproud/golang_protobuf_extensions v1.0.1
go: added github.com/mholt/acmez v1.2.0
go: added github.com/miekg/dns v1.1.55
go: added github.com/onsi/ginkgo/v2 v2.9.5
go: added github.com/prometheus/client_golang v1.14.0
go: added github.com/prometheus/client_model v0.3.0
go: added github.com/prometheus/common v0.37.0
go: added github.com/prometheus/procfs v0.8.0
go: added github.com/quic-go/qpack v0.4.0
go: added github.com/quic-go/qtls-go1-20 v0.3.1
go: added github.com/quic-go/quic-go v0.37.3
go: added github.com/zeebo/blake3 v0.2.3
go: added go.uber.org/multierr v1.11.0
go: added go.uber.org/zap v1.25.0
go: added golang.org/x/crypto v0.11.0
go: added golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
go: added golang.org/x/mod v0.11.0
go: added golang.org/x/net v0.12.0
go: added golang.org/x/sys v0.10.0
go: added golang.org/x/term v0.10.0
go: added golang.org/x/text v0.11.0
go: added golang.org/x/tools v0.10.0
go: added google.golang.org/protobuf v1.31.0
2023/08/08 21:57:42 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go get -d -v github.com/caddy-dns/cloudflare github.com/caddyserver/caddy/v2
go: added github.com/caddy-dns/cloudflare v0.0.0-20230807034102-74f004e1c1ab
go: added github.com/libdns/cloudflare v0.1.0
2023/08/08 21:57:44 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go get -d -v
2023/08/08 21:57:54 [INFO] Build environment ready
2023/08/08 21:57:54 [INFO] Building Caddy
2023/08/08 21:57:54 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go mod tidy -e
2023/08/08 21:57:54 [INFO] exec (timeout=0s): /home/v1rtl/go/bin/go build -o /home/v1rtl/caddy -ldflags -w -s -trimpath
# github.com/quic-go/quic-go/internal/handshake
/home/v1rtl/go/pkg/mod/github.com/quic-go/[email protected]/internal/handshake/crypto_setup.go:362:37: cannot use h.allow0RTT (variable of type bool) as tls.QUICSessionTicketOptions value in argument to h.conn.SendSessionTicket
2023/08/08 21:57:56 [INFO] Cleaning up temporary folder: /tmp/buildenv_2023-08-08-2157.3516867617
2023/08/08 21:57:56 [FATAL] exit status 1

Building with latest Caddy version fails (undefined: caddytls.DNSProviderMaker)

Hi,

I attempted building Caddy 2 with xcaddy. However, it seems caddytls.DNSPRoviderMaker is no longer included (I assumed this because of this commit - which stated that you'd removed the DNSProviderMaker interface which I'm assuming this module relies on?). So I obviously was not able to build correctly.

2020/05/27 19:57:50 [INFO] Build environment ready
2020/05/27 19:57:50 [INFO] Building Caddy
2020/05/27 19:57:50 [INFO] exec (timeout=0s): /usr/bin/go build -o /home/go/bin/caddy -ldflags -w -s -trimpath 
# github.com/caddyserver/tls.dns/providers/cloudflare
/home/go/pkg/mod/github.com/caddyserver/[email protected]/providers/cloudflare/cloudflare.go:75:7: undefined: caddytls.DNSProviderMaker
2020/05/27 19:58:02 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-05-27-1957.673318377
2020/05/27 19:58:02 [FATAL] exit status 2

Here's the command I used, by the way:

./xcaddy build --with github.com/caddyserver/caddy/v2/modules/standard --with github.com/caddyserver/tls.dns/providers/cloudflare

Not sure if I've done something wrong or this interface is simply missing.

Thanks.

Not able to create certs in Windows

I want to add dns challenge for multiple sub-domains through dns challenge.
But I can't get it to work with the latest caddy version in Windows

PS C:\caddy> .\caddy.exe version
2021/03/27 12:29:49 WARNING: proto: file "pb.proto" is already registered
A future release will panic on registration conflicts. See:
https://developers.google.com/protocol-buffers/docs/reference/go/faq#namespace-conflict

v2.4.0-beta.1 h1:Ed/tIaN3p6z8M3pEiXWJL/T8JmCqV62FrSJCHKquW/I=

Caddyfile

{
    # Enable Debug mode
	debug

    # Disable admin console
	admin off

    # Default email for tls
    email {email-here}

    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(common) {
    tls {
        issuer acme {
            # dir https://acme-staging-v02.api.letsencrypt.org/directory
            dir https://acme-v02.api.letsencrypt.org/directory
            resolvers 1.1.1.1 1.0.0.1
            dns cloudflare {api-token-here}
        }
        alpn http2
    }
    log {
        output stdout
        format console
    }
}

nextcloud.dexome.com  {
    import common
    reverse_proxy https://dex-nextcloud {
        transport http {
            tls_insecure_skip_verify
        }
    }
    log {
        output file log/nextcloud.json
    }
}

movies.dexome.com  {
    import common
    @local_subnets {
        remote_ip 10.100.30.0/24 10.100.20.0/24
    }
    reverse_proxy @local_subnets http://daemon.dexome.com:7878
    log {
        output file log/radarr.json
    }
}

This is the output from caddy
output.txt

P.S. I am able to create certs using win-acme just fine. So, the problem seems to be in the caddy or caddy-dns side.

Read API token from file instead of environment variable

I am trying to spin up Caddy in a Docker container, passing a secret in the docker-compose file. Ref: https://docs.docker.com/engine/swarm/secrets/

Docker intentionally requires the contents of the secret to be in a file and not an environment variable. In a compose file it looks like:

services:
  reverseproxy:
    container_name: caddy
    build: .
    ports:
      - 443:443
      - 80:80
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - /shares/caddy/data:/data
      - /shares/caddy/config:/config
    secrets:
      - cloudflare-api-key
      
secrets:
  cloudflare-api-key:
    file: ./cloudflare-api-key.secret

At runtime, that copies the contents of the file ./cloudflare-api-key.secret into /run/secrets/cloudflare-api-key in a tmpfs in the container (ref docs linked above for explanation).

Is it possible to pass the API token as a path to a file rather than an environment variable?

tls {
    dns cloudflare /run/secrets/cloudflare-api-key
}

caddy-dns / cloudflare Goto Github PK

cloudflare's Introduction

Cloudflare module for Caddy

Caddy module name

Config examples

Authenticating

Troubleshooting

Error: Invalid request headers

Error: timed out waiting for record to fully propagate

cloudflare's People

Contributors

Stargazers

Watchers

Forkers

cloudflare's Issues

Environment Details:

Caddyfile:

Caddy stdout log:

TL;DR

Reproduction

Environment

github.com/smallstep/certificates/authority/provisioner

Recommend Projects

Recommend Topics

Recommend Org

Error: `Invalid request headers`

Error: `timed out waiting for record to fully propagate`