d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/docs/04-configuration/CLOUDFLARE_CREDENTIALS_BOTH_METHODS.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

2.8 KiB
Raw Permalink Blame History

Cloudflare Credentials: Both Methods Supported

Last Updated: 2026-01-31
Document Version: 1.0
Status: Active Documentation

This project supports both Cloudflare authentication methods. You can set either or both in .env; scripts use API token first, then fall back to email + API key.

1. Credential types

Method .env variables Use case
API token CLOUDFLARE_API_TOKEN Recommended: scoped, revocable. Used by DNS scripts, NPMplus, tunnel config.
Email + API key CLOUDFLARE_EMAIL + CLOUDFLARE_API_KEY Legacy/global key. Required for some older flows; Certbot can use this.

You can set both in .env. Scripts that call the Cloudflare API will use the token if set, otherwise email + API key.

2. Which scripts use which

  • update-all-dns-to-public-ip.sh token first, else email+key
  • complete-chain138-rpc-setup.sh token or email+key (either is enough)
  • add-vmid2400-ingress.sh token first, else email+key
  • update-cloudflare-tunnel-config.sh token first, else email+key
  • create-dns-record-rpc-core.sh token first, else email+key
  • scripts/verify/export-cloudflare-dns-records.sh token first, else email+key

3. Certbot (Let's Encrypt DNS-01)

Certbots dns-cloudflare plugin accepts one method per credentials file: either API token or email + API key, not both in the same file.

  • Token-only file (recommended):
    dns_cloudflare_api_token = YOUR_TOKEN
  • Email + API key file:
    dns_cloudflare_email = your@email
    dns_cloudflare_api_key = YOUR_GLOBAL_API_KEY

Scripts that build the Certbot credentials file (e.g. obtain-all-ssl-certificates.sh, setup-letsencrypt-tunnel.sh) will:

  • If CLOUDFLARE_API_TOKEN is set → write a token-only credentials file.
  • Else if CLOUDFLARE_EMAIL and CLOUDFLARE_API_KEY are set → write an email+key credentials file.
  • Else → exit with an error asking you to set one of the two methods.

Example credential files are in scripts/certbot/:

  • cloudflare-credentials-token.example token-only (copy and set your token).
  • cloudflare-credentials-email-api-key.example email+key (copy and set email and key).

Use one of these as your Certbot Cloudflare credentials file (e.g. ~/.secrets/certbot/cloudflare.ini or /etc/cloudflare/credentials.ini on the host that runs Certbot).

4. Summary

  • .env: You can set both CLOUDFLARE_API_TOKEN and CLOUDFLARE_EMAIL / CLOUDFLARE_API_KEY.
  • Scripts: They use token first, then email+key.
  • Certbot: One method per credentials file (token-only or email+key-only).
  • Having both: Keeps API/token auth for scripts and allows Certbot to use whichever method you put in its credentials file.
Reference in New Issue View Git Blame Copy Permalink