Cloudflare Plugin Seems Broken

ella · September 29, 2019, 11:37pm

The API key and email are correct, the domain exists and I tested making a request on postman to the Cloudflare API an it works fine. However, Caddy spits out this error… Am I doing anything wrong?

acme: error presenting token: cloudflare: failed to find zone domain.: ListZones command failed: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":6003,\"message\":\"Invalid request headers\",\"error_chain\":[{\"code\":6103,\"message\":\"Invalid format for X-Auth-Key header\"}]}],\"messages\":[],\"result\":null}"

Here’s my Caddyfile:

domain {
        root /var/www/html/domain
        gzip
        tls {
            dns cloudflare
        }
}

My service file:


[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=www-data
Group=www-data

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
Environment=CLOUDFLARE_EMAIL=email
Environment=CLOUDFLARE_API_KEY=key
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log /var/log/caddy.err -agree -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWritePaths=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Whitestrake · September 30, 2019, 12:24am

Are you, by chance, using a limited-scope API token instead of your account-wide API key?

The Cloudflare DNS plugin doesn’t support these types of tokens yet.

ella · September 30, 2019, 12:38am

Thanks for your reply
Yes I believe I am, but I’m unsure how to create a token any other way on Cloudflare - do you know?
Thanks again.

Whitestrake · September 30, 2019, 12:39am

In your Profile, under API Tokens, there’s another section called API Keys. There should be a Global API Key there. You need to use your email and that Global API Key for the DNS plugin.

ella · September 30, 2019, 12:44am

You’re right, thanks so much. Do you know if all the Cloudflare utilities will work as normal with the Caddy plugin (e.g caching) or will it no longer work like that anymore?

Whitestrake · September 30, 2019, 3:33am

You can certainly get Caddy functioning behind Cloudflare’s “orange cloud”.

There’s one very common pitfall that some people get drawn into that results in infinite redirection. I’ve written a bit about it here: Infinite redirection - #5 by Whitestrake

Give that a read and you should be pretty well armed to run Caddy neatly combined with Cloudflare’s features.

ella · September 30, 2019, 1:42pm

Great, thanks @Whitestrake.

Do you know if this will also work behind a Cloudflare load balancer?

Thanks again so much for your help

Whitestrake · September 30, 2019, 2:02pm

If you’ve got multiple Caddy servers on different hosts, behind a load balancer, you’ll want to look into using a shared storage for the TLS assets.

Caddy handles clustering automatically and very neatly if you, for example, have the assets on a shared network file system (see: https://caddyserver.com/blog/caddy-0_10_12-released#improved-automatic-https-in-a-cluster).

ella · September 30, 2019, 2:13pm

Yeah, so if I use the Redis plugin for sharing TLS resources and have both behind a Cloudflare loadbalancer, it should work fine - right?

Whitestrake · September 30, 2019, 2:14pm

Should work quite well!

ella · September 30, 2019, 2:18pm

Thanks for all your help

system · December 29, 2019, 2:18pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.