Howdy @carrynewb! There’s a fair bit of meat to your post so I’ll try run through really quick.
Not exactly. ACME certificate requisition doesn’t require your DNS provider’s API access at all. If your website is internet-facing, it can just try port 80 or port 443 and talk directly to your server. Caddy will still automatically update your certificate on a schedule and you won’t need to manually intervene for this to happen.
A Cloudflare API key enables the use of DNS validation (as opposed to HTTP or TLS-ALPN validation), which is a different process that doesn’t require your webserver to be publicly accessible.
Strictly speaking, no. It should work just fine without it. Even behind the “orange cloud” - Caddy might have a very brief delay while it grapples with that, but it’ll figure it out pretty quick and get it sorted.
Yes. You’ll need to replace the Caddy binary that’s currently installed with one with the module.
You might be able to do this really easily by running: sudo caddy add-package github.com/caddy-dns/cloudflare
This might be because Caddy is running already. You might need to stop it first before replacing it with that curl command.
Since you installed with apt, you should be able to remove with: sudo apt remove caddy
But you may want to leave it installed because it comes with systemd service configuration, etc.; it might be preferable just to replace the binary, i.e. with that curl command or with caddy add-package.
You could definitely do this!
It’s possible in Caddy itself, using request matchers to reject requests from IPs that aren’t allowed. It’s far, far more efficient to do this at your firewall, though, which is beyond the scope of Caddy.
This introduces a bit of a problem, though; it WILL break LetsEncrypt validation on ports 80/443 unless you specifically allow all the LetsEncrypt IPs. Then you will need the Cloudflare API key and the module.