Cloudflare API Token Setup
Cloudflare API Token Setup
Section titled “Cloudflare API Token Setup”This guide walks you through creating a Cloudflare API token for cert-manager to automatically manage Let’s Encrypt certificates via DNS-01 challenge.
Required Permissions
Section titled “Required Permissions”The API token needs these permissions for automatic certificate management:
- Zone:Zone:Read - Read zone information
- Zone:DNS:Edit - Create/update DNS TXT records for ACME challenges
- Zone Resources: Include specific zone
wenzelarifiandi.com
Step-by-Step Setup
Section titled “Step-by-Step Setup”1. Access Cloudflare Dashboard
Section titled “1. Access Cloudflare Dashboard”- Go to Cloudflare Dashboard
- Login to your account
- Navigate to My Profile (top right) → API Tokens
2. Create Custom Token
Section titled “2. Create Custom Token”- Click Create Token
- Select Custom token (not Global API Key)
- Configure the token:
Token name: ariane-cert-managerPermissions: - Zone:Zone:Read - Zone:DNS:EditZone Resources: - Include: Specific zone: wenzelarifiandi.comClient IP Address Filtering: (leave empty for any IP)TTL: (leave empty for no expiration)3. Generate and Copy Token
Section titled “3. Generate and Copy Token”- Click Continue to summary
- Review permissions
- Click Create Token
- IMPORTANT: Copy the token immediately - it won’t be shown again
The token will look like: 1234567890abcdef1234567890abcdef12345678
4. Test the Token
Section titled “4. Test the Token”Verify the token works:
# Test zone accesscurl -X GET "https://api.cloudflare.com/client/v4/zones" \ -H "Authorization: Bearer YOUR_TOKEN_HERE" \ -H "Content-Type: application/json"
# Should return zone information for wenzelarifiandi.com5. Store Securely
Section titled “5. Store Securely”Add the token to your secrets file:
cd infrastructure/ansiblesops secrets/cell-v0.yml# Add: cloudflare_api_token: "YOUR_TOKEN_HERE"Security Best Practices
Section titled “Security Best Practices”- Principle of Least Privilege: Token only has DNS edit permissions for one zone
- Rotation: Consider rotating the token periodically
- Monitoring: Check Cloudflare audit logs for unexpected API usage
- Revocation: If compromised, revoke immediately from Cloudflare dashboard
Troubleshooting
Section titled “Troubleshooting”Common Issues
Section titled “Common Issues”403 Forbidden Error:
- Check token has correct permissions
- Verify zone name matches exactly
- Ensure token hasn’t expired
DNS Challenge Timeout:
- Check Cloudflare API status
- Verify DNS propagation with
dig TXT _acme-challenge.auth.wenzelarifiandi.com - Check cert-manager logs:
kubectl logs -n cert-manager deployment/cert-manager
Token Not Working:
# Debug cert-managerkubectl describe certificate -n zitadel zitadel-tlskubectl describe certificaterequest -n zitadelkubectl logs -n cert-manager deployment/cert-managerToken Permissions Summary
Section titled “Token Permissions Summary”| Permission | Access Level | Resource | Purpose |
|---|---|---|---|
| Zone:Zone:Read | Read | wenzelarifiandi.com | Get zone ID for DNS operations |
| Zone:DNS:Edit | Edit | wenzelarifiandi.com | Create/delete TXT records for ACME |
This minimal permission set ensures the token can only manage DNS records for certificate validation and nothing else.