Cloudflare Origin CA Bot
This only works on Linux.
Install Node.js v6 or later. You will also need
openssl available on the command line.
Then install it via npm:
$ sudo npm install -g --unsafe-perm true cloudflare-ca-bot
--unsafe-perm true argument is required so that the install script can run as root, which is required to create
Finally, run it (as any user):
$ cfcabot <command> [flags]
apikey: Set or update your Cloudflare CA API key (you will need to do this first)
list: List all certificates known to this machine (all these certs will be renewed when you use "renew")
new: Interactively get a new certificate (you will want to start here once you set your API key)
- The output of this command will tell you where on the file system you can find your private key and certificate
renew: Non-interactively renew all certificates that need renewal (all certs that expire in 14 or fewer days)
--forceflag to force renewal of all certificates regardless of whether renewal is needed
- It is completely safe (and recommended) to use this command more frequently than needed. It will only make requests
to Cloudflare if the certificate will imminently expire (it checks the local disk to know when it expires). It would
be a good idea to run
renewdaily on a cronjob.
revoke: Interactively revoke a certificate
This application is designed assuming that you fully control the operating system on which you use it. All certificates
and private keys are stored in
/etc/cfcabot which is accessible to any user on the system (so that you can run
cfcabot as an unprivileged user and still have the keys accessible to your webserver). Your Cloudflare Origin CA API
key is stored in your user's home directory, however.