Skip to content
Use CloudFlare with dehydrated (formerly and DNS challenges
Branch: master
Clone or download

Latest commit


Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore Add .gitignore Oct 11, 2016 Be less British... Oct 11, 2016 Added CF_DEBUG option Oct 25, 2016
requirements-python-2.txt Fixed #17 -- Updated dnspython to 1.15.0 Oct 5, 2016
requirements.txt dnspython3 superseded by the regular dnspython kit Oct 11, 2016

CloudFlare hook for dehydrated

This is a hook for the Let's Encrypt ACME client dehydrated (previously known as that allows you to use CloudFlare DNS records to respond to dns-01 challenges. Requires Python and your CloudFlare account e-mail and API key being in the environment.


$ cd ~
$ git clone
$ cd dehydrated
$ mkdir hooks
$ git clone hooks/cloudflare

If you are using Python 3:

$ pip install -r hooks/cloudflare/requirements.txt

Otherwise, if you are using Python 2 (make sure to also check the urllib3 documentation for possible caveats):

$ pip install -r hooks/cloudflare/requirements-python-2.txt


Your account's CloudFlare email and API key are expected to be in the environment, so make sure to:

$ export CF_EMAIL=''
$ export CF_KEY='K9uX2HyUjeWg5AhAb'

Optionally, you can specify the DNS servers to be used for propagation checking via the CF_DNS_SERVERS environment variable (props bennettp123):

$ export CF_DNS_SERVERS=''

If you want more information about what is going on while the hook is running:

$ export CF_DEBUG='true'

Alternatively, these statements can be placed in dehydrated/config, which is automatically sourced by dehydrated on startup:

echo "export" >> config
echo "export CF_KEY=K9uX2HyUjeWg5AhAb" >> config
echo "export CF_DEBUG=true" >> config


$ ./dehydrated -c -d -t dns-01 -k 'hooks/cloudflare/'
# !! WARNING !! No main config file found, using default config!
 + Signing domains...
 + Creating new directory /home/user/dehydrated/certs/ ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for
 + CloudFlare hook executing: deploy_challenge
 + DNS not propagated, waiting 30s...
 + DNS not propagated, waiting 30s...
 + Responding to challenge for
 + CloudFlare hook executing: clean_challenge
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + CloudFlare hook executing: deploy_cert
 + ssl_certificate: /home/user/dehydrated/certs/
 + ssl_certificate_key: /home/user/dehydrated/certs/
 + Done!

Further reading

If you want some prose to go with the code, check out the relevant blog post here: From StartSSL to Let's Encrypt, using CloudFlare DNS.

You can’t perform that action at this time.