Cert Provider Cloudflare - CF_DNS_API_TOKEN integration issue

[EugenMayer]

Traefik: 2.0.6 / Linux ( official docker image )

Using Cloudflare with EMAIL/API_KEY works without issues, but when using the https://go-acme.github.io/lego/dns/cloudflare/#api-tokens API TOKEN integration by setting the following ENV var

environment:
  CF_DNS_API_TOKEN: "${CF_DNS_API_TOKEN}"

I get the following

 acme: error presenting token: cloudflare: failed to find zone REDACTED.: ListZonesContext command failed: error from makeRequest: HTTP status 403: insufficient permissions\n" providerName=default.acme routerName=web1 rule="Host(`web1-docker-image-traefik.REDACTED`)"

(REDACTED is my actual domain)

The TOKEN has been generated with the following permissions:

All zones - DNS:Edit

I recreated the token several times, using the template (DNS template by cloudflare) and custom setup, but nothing happened. Checked https://github.com/go-acme/lego/issues but could not find any reference there either. Not sure where this bug-report belongs to in the end, please advice

[EugenMayer]

I just check cloudflares REST api: https://api.cloudflare.com/#zone-list-zones

and tried

curl -X GET "https://api.cloudflare.com/client/v4/zones?match=all" \
      -H "Authorization: Bearer <MY_DNS_TOKEN>" \
     -H "Content-Type: application/json"

When using the CF token template "read all resources" ( which includes really everything ) it actually works ( the request above )

and got

{"success":false,"errors":[{"code":0,"message":"Actor 'com.cloudflare.api.token.961f73fb1f736ed6084166156c3b1469' requires permission 'com.cloudflare.api.account.zone.list' to list zones"}],"messages":[],"result":null}% 

I rechecked and recreated the token bot nothing works here.

[EugenMayer]

Ok i could find the issue, one needs to add ZONE , ZONE, read permissions, so one needs

All zones - DNS:Edit, Zone:Read

for the CF_DNS_API_TOKEN .. and after reading https://go-acme.github.io/lego/dns/cloudflare/#api-tokens once again ..

    Zone / Zone / Read
    Zone / DNS / Edit

It's all that. I guess i got fooled by the linked clouflare announcement / template which only includes

Zone / DNS / Edit

Sorry for the noise here. I assume keeping this issue might help someone else ( with the above error string ) missing that detail - otherwise delete this issue to your likings

[ViableClanMember]

I didn't find @EugenMayer 's post to work. My solution was to use the Global API key (found underneath the Token section).

[EugenMayer]

@ViableClanMember that was always working, but grants all acount permissions - everything you have.

That is why the token is so interesting. When you grant those 2 permissions ( not just EDIT ) you should be good to go. Be sure to name the variable right, means: CF_DNS_API_TOKEN

I do not want to re-open the issues or somewhat - just for the other readers, i use this in production with CF_DNS_API_TOKEN and Zone / Zone / Read + Zone / DNS / Edit - so it indeed works