Comments (8)
Ugh, lame. Let me poke some people internally about this.
Though I guess this is still much better than the pre-api-token world...
from acme-dns-01-cloudflare.
Good news! With changes to Cloudflare's new zone-scoped roles, this no longer seems to be an issue. A "zone list" API request now returns just the zones an account has access to, without requiring the "all zones" permission 🥳
from acme-dns-01-cloudflare.
Hi Kenton, thanks so much for the info!
I actually noticed this myself on Friday when trying to generate a certificate but didn't get around to creating an issue or solution yet.
What do you think of something like this, which would allow users to pass in a zone map of domain => zone ID?
const cloudflareDns01 = new acmeDnsCloudflare({
token: 'xxxxxx',
verifyPropagation: true,
verbose: true,
zones: {
"example.com": "asdfgh",
"example2.com": "zxcvbn"
}
});
The module could then first check the zones
configuration as passed in, but fallback to querying Cloudflare's API for the zones if it needs to.
As a side note, allowing com.cloudflare.api.account.zone.list
as a separate explicitly granted permission would be really awesome. 😉
from acme-dns-01-cloudflare.
Oh geez... The API doesn't provide any way to map a zone name to an ID without listing zones?
(Yeah this is not my department at Cloudflare. 😅)
from acme-dns-01-cloudflare.
As far as I can tell looking at https://api.cloudflare.com/#zone-list-zones, there's a filter name
for the GET zones
call, but no way to specify multiple filters. So if you wanted to create certs for 30 zones on your account, this would be 30 separate API calls vs 1 or 2 for a generic GET zones
listing.
But, that's assuming the GET zones
call would take into account permissions on specific zones, and with some quick testing, it doesn't seem to. Even if I explictly do GET zones?name=example.com
where example.com
is a zone I have access to, I still receive the com.cloudflare.api.account.zone.list
permission error until I set Zone -> Zone:Read
for all zones.
Unless I'm missing an available API call on Cloudflare's end, the only 2 solutions that I can think of here (when using an API token, without API changes are Cloudflare's end) are passing in the zone names/IDs map to this module, or giving your API token access to all zones are on the account, neither of which are ideal. 😕
from acme-dns-01-cloudflare.
Yeah, a revocable token is still way better than a global API key, even if you have to give it more permissions than really intended. 😀
I'll see about updating the README here shortly with the new permission information. Hopefully we can find a better solution soon!
from acme-dns-01-cloudflare.
I checked internally and it seems like there is a desire to fix this, but it's not as easy as it looks, so probably shouldn't expect it to change in the near term.
I guess having some way to specify zone tags manually might be neat though I expect most people won't want to do the work of looking them all up.
from acme-dns-01-cloudflare.
Thanks for the update. I'll think about this a little and see what I want to do. Specifying a zones
map could be a nice interim feature, and just fallback to using the API for those who don't wish to configure this, or for missing zones, with hopefully a better solution coming in the future.
from acme-dns-01-cloudflare.
Related Issues (14)
- Fails to resolve challenge when requesting wildcard of subdomain HOT 22
- Promise.reject() should take Error instead of string HOT 5
- HTTPError: Response code 400 (Bad Request) HOT 5
- Example / Greenlock broken HOT 4
- Over-eager zone matching HOT 3
- Log errors when applying for certificates (Cloudflare) HOT 3
- Update README with ACME.js example HOT 1
- Error the "id" argument must be of a type String HOT 10
- Using with Greenlock-Express HOT 1
- Add CI pipeline for testing (GitHub Actions) HOT 5
- Action required: Greenkeeper could not be activated 🚨 HOT 2
- [Bug ?] doesn't seem to ever be able to perform domain validation HOT 2
- Propagation delay issues HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-dns-01-cloudflare.