Cloudflare Origin CA Bot
cfcabot
This is a client, inspired by Let's Encrypt's certbot, which makes it easy to request and
automatically renew Cloudflare Origin CA certificates.
This only works on Linux.
Installation
Install Node.js v6 or later. You will also need openssl available on the command line.
Then install it via npm:
$ sudo npm install -g --unsafe-perm true cloudflare-ca-bot
The --unsafe-perm true argument is required so that the install script can run as root, which is required to create
directories in /etc.
Finally, run it (as any user):
$ cfcabot
Command syntax:
$ cfcabot <command> [flags]
Available commands:
apikey: Set or update your Cloudflare CA API key (you will need to do this first)list: List all certificates known to this machine (all these certs will be renewed when you use "renew")new: Interactively get a new certificate (you will want to start here once you set your API key)- The output of this command will tell you where on the file system you can find your private key and certificate
renew: Non-interactively renew all certificates that need renewal (all certs that expire in 14 or fewer days)- Use
--forceflag to force renewal of all certificates regardless of whether renewal is needed - It is completely safe (and recommended) to use this command more frequently than needed. It will only make requests
to Cloudflare if the certificate will imminently expire (it checks the local disk to know when it expires). It would
be a good idea to run
renewdaily on a cronjob.
- Use
revoke: Interactively revoke a certificate
Security
This application is designed assuming that you fully control the operating system on which you use it. All certificates
and private keys are stored in /etc/cfcabot which is accessible to any user on the system (so that you can run
cfcabot as an unprivileged user and still have the keys accessible to your webserver). Your Cloudflare Origin CA API
key is stored in your user's home directory, however.