Use CloudFlare with dehydrated (formerly and DNS challenges
Switch branches/tags
Nothing to show
Clone or download

CloudFlare hook for dehydrated

This is a hook for the Let's Encrypt ACME client dehydrated (previously known as that allows you to use CloudFlare DNS records to respond to dns-01 challenges. Requires Python and your CloudFlare account e-mail and API key being in the environment.


$ cd ~
$ git clone
$ cd dehydrated
$ mkdir hooks
$ git clone hooks/cloudflare

If you are using Python 3:

$ pip install -r hooks/cloudflare/requirements.txt

Otherwise, if you are using Python 2 (make sure to also check the urllib3 documentation for possible caveats):

$ pip install -r hooks/cloudflare/requirements-python-2.txt


Your account's CloudFlare email and API key are expected to be in the environment, so make sure to:

$ export CF_EMAIL=''
$ export CF_KEY='K9uX2HyUjeWg5AhAb'

Optionally, you can specify the DNS servers to be used for propagation checking via the CF_DNS_SERVERS environment variable (props bennettp123):

$ export CF_DNS_SERVERS=''

If you want more information about what is going on while the hook is running:

$ export CF_DEBUG='true'

Alternatively, these statements can be placed in dehydrated/config, which is automatically sourced by dehydrated on startup:

echo "export" >> config
echo "export CF_KEY=K9uX2HyUjeWg5AhAb" >> config
echo "export CF_DEBUG=true" >> config


$ ./dehydrated -c -d -t dns-01 -k 'hooks/cloudflare/'
# !! WARNING !! No main config file found, using default config!
 + Signing domains...
 + Creating new directory /home/user/dehydrated/certs/ ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for
 + CloudFlare hook executing: deploy_challenge
 + DNS not propagated, waiting 30s...
 + DNS not propagated, waiting 30s...
 + Responding to challenge for
 + CloudFlare hook executing: clean_challenge
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + CloudFlare hook executing: deploy_cert
 + ssl_certificate: /home/user/dehydrated/certs/
 + ssl_certificate_key: /home/user/dehydrated/certs/
 + Done!

Further reading

If you want some prose to go with the code, check out the relevant blog post here: From StartSSL to Let's Encrypt, using CloudFlare DNS.