Cloudflare Plugin Seems Broken

The API key and email are correct, the domain exists and I tested making a request on postman to the Cloudflare API an it works fine. However, Caddy spits out this error… Am I doing anything wrong?

acme: error presenting token: cloudflare: failed to find zone domain.: ListZones command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"

Here’s my Caddyfile:

domain {
        root /var/www/html/domain
        gzip
        tls {
            dns cloudflare
        }
}

My service file:


[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=www-data
Group=www-data

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
Environment=CLOUDFLARE_EMAIL=email
Environment=CLOUDFLARE_API_KEY=key
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log /var/log/caddy.err -agree -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWritePaths=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Are you, by chance, using a limited-scope API token instead of your account-wide API key?

The Cloudflare DNS plugin doesn’t support these types of tokens yet.

Thanks for your reply :slight_smile:
Yes I believe I am, but I’m unsure how to create a token any other way on Cloudflare - do you know?
Thanks again.

In your Profile, under API Tokens, there’s another section called API Keys. There should be a Global API Key there. You need to use your email and that Global API Key for the DNS plugin.

You’re right, thanks so much. Do you know if all the Cloudflare utilities will work as normal with the Caddy plugin (e.g caching) or will it no longer work like that anymore?

You can certainly get Caddy functioning behind Cloudflare’s “orange cloud”.

There’s one very common pitfall that some people get drawn into that results in infinite redirection. I’ve written a bit about it here: Infinite redirection

Give that a read and you should be pretty well armed to run Caddy neatly combined with Cloudflare’s features.

Great, thanks @Whitestrake.

Do you know if this will also work behind a Cloudflare load balancer?

Thanks again so much for your help

If you’ve got multiple Caddy servers on different hosts, behind a load balancer, you’ll want to look into using a shared storage for the TLS assets.

Caddy handles clustering automatically and very neatly if you, for example, have the assets on a shared network file system (see: https://caddyserver.com/blog/caddy-0_10_12-released#improved-automatic-https-in-a-cluster).

Yeah, so if I use the Redis plugin for sharing TLS resources and have both behind a Cloudflare loadbalancer, it should work fine - right?

Should work quite well!

Thanks for all your help :slight_smile:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.