This is a hook for the Let's Encrypt ACME client dehydrated (previously known as letsencrypt.sh) that allows you to use CloudFlare DNS records to respond to dns-01 challenges. Requires Python and your CloudFlare account e-mail and API key being in the environment.
$ cd ~
$ git clone https://github.com/lukas2511/dehydrated
$ cd dehydrated
$ mkdir hooks
$ git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook hooks/cloudflare
If you are using Python 3:
$ pip install -r hooks/cloudflare/requirements.txt
Otherwise, if you are using Python 2 (make sure to also check the urllib3 documentation for possible caveats):
$ pip install -r hooks/cloudflare/requirements-python-2.txt
Your account's CloudFlare email and API key are expected to be in the environment, so make sure to:
$ export CF_EMAIL='[email protected]'
$ export CF_KEY='K9uX2HyUjeWg5AhAb'
The directory Proxmox nodes are in defaults to /etc/pve/nodes/, but can be overridden
$ export PVE_NODE_DIR='/etc/pve/nodes/'
If you're requesting multiple certificates, the last one registered will be the one that remains. Thus, if you might be requesting multiple certs, make sure to define the cert you wish to copy:
$ export PVE_CERT='example.com'
Optionally, you can specify the DNS servers to be used for propagation checking via the CF_DNS_SERVERS environment variable (props bennettp123):
$ export CF_DNS_SERVERS='8.8.8.8 8.8.4.4'
If you want more information about what is going on while the hook is running:
$ export CF_DEBUG='true'
Alternatively, these statements can be placed in dehydrated/config, which is automatically sourced by dehydrated on startup:
echo "export [email protected]" >> config
echo "export CF_KEY=K9uX2HyUjeWg5AhAb" >> config
echo "export CF_DEBUG=true" >> config
$ ./dehydrated -c -d example.com -t dns-01 -k 'hooks/cloudflare/hook.py'
#
# !! WARNING !! No main config file found, using default config!
#
Processing example.com
+ Signing domains...
+ Creating new directory /home/user/dehydrated/certs/example.com ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for example.com...
+ CloudFlare hook executing: deploy_challenge
+ DNS not propagated, waiting 30s...
+ DNS not propagated, waiting 30s...
+ Responding to challenge for example.com...
+ CloudFlare hook executing: clean_challenge
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ CloudFlare hook executing: deploy_cert
+ ssl_certificate: /home/user/dehydrated/certs/example.com/fullchain.pem
+ ssl_certificate_key: /home/user/dehydrated/certs/example.com/privkey.pem
+ Done!
If you want some prose to go with the code, check out the relevant blog post here: From StartSSL to Let's Encrypt, using CloudFlare DNS.