Feature Request: New SSL provider CloudFlare Origin CA

[tangrufus]

Generate a cert by cli for example.com, *.example.com, *.another.com when this example config is given:

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: example.com
        redirects:
          - www.example.com
          - ww2.example.com
          - www.another.com
    ssl:
      enabled: true
      provider: cloudflare

It should:

• add cloudflare package repository https://pkg.cloudflare.com/
• root@server# apt-get install cfca
• calculate a list of hostnames, e.g.: example.com, *.example.com, *.another.com
• root@server# CF_API_KEY=XXXXX cfca getcert -hostnames example.com,*.example.com,*.another.com -key-out /etc/nginx/ssl/cloudflare.key -certificate-out /etc/nginx/ssl/cloudflare.pem -overwrite
• Update /etc/nginx/nginx.conf template

See:

• https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
• https://support.cloudflare.com/hc/en-us/articles/217471977

[partounian]

This is great! You are on a roll @tangrufus , this would be so useful for people like me who hopped on CloudFlare and realized they needed to add SSL for one more domain. I had to wait to propagate back to the original DNS, run commands, make sure everything is okay, then back over to CloudFlare. This might be a stupid question, but what happens if you move off CloudFlare, does your cert expire?

EDIT: You should probably not make issues/feature requests if you will be creating PRs though, don't want to add clutter. 👍

[tangrufus]

what happens if you move off CloudFlare, does your cert expire?

Expires in 15 years.
However, this cert is self-signed. When you move out of Cloudflare, you don't get green padlocks.

[partounian]

I see, looking over it again at the end it says.

When pausing CloudFlare or gray-clouding individual zones, be aware that you and your visitors may receive errors in their browsers until you orange-cloud (reverse proxy) them again.

[tangrufus]

Extracted to https://github.com/TypistTech/trellis-cloudflare-origin-ca