[HELP] LetsEncrypt dns-01 update with wildcard domain on CloudFlare?
Closed this issue · 4 comments
What happened?
I cannot figure out how to install a LetsEncrypt wildcard certificate using Cloudflare's DNS. I rely on the dns-01 method of certificate renewal as my ISP does not allow me to run services on port 80 for me to use the http-01 method.
Describe what have you tried
Looked for guides on how to do this, but came up with nothing.
Describe the networking setup you are using
I am running a Zoraxy container on top of a Mikrotik CRS2116. It is connected to my ppc64el+RPi Cluster VM/Container LAN via a Layer3 network using the CRS2116.
I had to make my own mikrotik configuration for this container, as well as turning on the container functionality which can be found in the Mikrotik Container guide HERE.
It seems to boot and work as expected with the configuration below:
/container config
set registry-url=https://registry-1.docker.io tmpdir=nvme1/tmp
/container mounts
add dst=/opt/zoraxy/config name=zoraxy_config src=/nvme1/zoraxy/config
/container envs
add key=ARGS name=zoraxy_envs value="-noauth=false"
add key=PORT name=zoraxy_envs value=8000
add key=FASTGEOIP name=zoraxy_envs value=true
/container
add comment=Zoraxy dns=172.17.0.2 envlist=zoraxy_envs interface=docker_zoraxy \
logging=yes mounts=zoraxy_config root-dir=nvme1/zoraxy/root start-on-boot=\
yes workdir=/opt/zoraxy/config/ remote-image=zoraxydocker/zoraxy:latest
Additional context
If there could be an update to the wiki that shows how to setup a LetsEncrypt wildcard using DNS, I would be able to close this ticket and move on with my migration to Zoraxy.
I am confused about the DNS Challenge Auth/Key fields. Auth Email, Key, Token, and Zone Token are filled out to the best of my abilities, and is where I have the most confusion. I am also adding the error I am getting when trying to do a certificate update.
Error: one or more domains had a problem: [testdomain.domain.com] [testdomain.domain.com] acme: error presenting token: cloudflare: failed to find zone domain.com.: ListZonesContext command failed: Invalid request headers (6003)
I am sure that I am missing something, just wanted to see if there was anyone here that could provide me a existing guide or configuration to do this.
Okay I think I found a solution, using issue #215 as a foundation for understanding what all the fields mean. I will have to wait for my rate limit to go away since I have been testing this a bit too much, according to LetsEncrypt.
Hi @krosseyed
I am confused about the DNS Challenge Auth/Key fields. Auth Email, Key, Token, and Zone Token are filled out to the best of my abilities, and is where I have the most confusion.
There is a link located at the bottom of the DNS credential form which shows you what to fill in. In your case, it will be lego cloudflare config https://go-acme.github.io/lego/dns/cloudflare/
I will have to wait for my rate limit to go away since I have been testing this a bit too much, according to LetsEncrypt.
But if you are using Cloudflare, you can use their wildcard certificate service and do a full strict (proxy) mode to your server. That way, you will not need to handle the renewal yourself and the CF full strict cert can last as long as 15 years.
Hey @tobychui !
I was able to fix my troubles using your suggestion of leveraging the origin certificate, like as you said lasts 15 (!) years. I should be good now for a while when it comes to getting Zoraxy as my web ingress point.
Thanks for making this application! It works very well and I have it running in a few spots. This has become VERY convenient as dropping a container onto a Mikrotik device provides relatively easy web access to local devices.
I will close this comment and I hope that this helps others in the future.