Wildcard certificates with Cloudflare

[kategray]

Hello,

This isn't an issue, just a heads up in case you find this useful.

I was able to get wildcard domains working nicely in apache2 2.4.46-4+deb.sury.org+1+ubuntu20.04.1+deb.sury.org+5 with Cloudflare.

(Sorry for the version number, it's from the sury PPA).

I ended up writing a utility to use the Cloudflare API. I had to add a 5 second sleep in there to give CF a chance to catch up or it would cycle a lot.

https://github.com/kategray/dns-challenge-cloudflare

The config file I'm using is essentially:

<IfModule mod_ssl.c>
	<MDomain xyz.cloud>
		MDMember *.xyz.cloud
	</MDomain>
	MDChallengeDns01 /sbin/dns-challenge
	MDCertificateAgreement accepted
	MDContactEmail [email protected]
	MDCAChallenges dns-01
	<VirtualHost _default_:443>
		ServerAdmin [email protected]
		ServerName xyz.cloud
	    ...
	</VirtualHost>
</IfModule>

[kategray]

Hmm. I didn't find it googling, but saw a reference to this script in another issue.

https://github.com/icing/mod_md/blob/master/contrib/md_events/dns_scripts/dns_add_cloudflare

Could have saved a few hours of time, though looking through the script it looks a fair bit less efficient, given that it gets all the domains to do it. Mine just makes an API call to get the ID.

[icing]

Thanks for getting this to work and getting in touch. I do not have a cloud fronting myself, so it is always good to get feedback.

I think I'll point to this issue from the README, so people have it easier finding a solution. While all other challenge methods are in control of Apache, the DNS and its visibility will vary from provider to provider and having the challenge script sleep for a while is perfectly fine, as ACME does not block anything else in the server.

[kategray]

If there's enough demand, I might convert this from being CF-specific to a more generalized approach, probably starting with Office 365 DNS and AWS.

It's not a hard thing to do, in particular. It's just a pain to do it right.