fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
58 lines
2.8 KiB
Markdown
58 lines
2.8 KiB
Markdown
# Cloudflare Credentials: Both Methods Supported
|
||
|
||
**Last Updated:** 2026-01-31
|
||
**Document Version:** 1.0
|
||
**Status:** Active Documentation
|
||
|
||
---
|
||
|
||
This project supports **both** Cloudflare authentication methods. You can set either or both in `.env`; scripts use **API token first**, then fall back to **email + API key**.
|
||
|
||
## 1. Credential types
|
||
|
||
| Method | .env variables | Use case |
|
||
|--------|----------------|----------|
|
||
| **API token** | `CLOUDFLARE_API_TOKEN` | Recommended: scoped, revocable. Used by DNS scripts, NPMplus, tunnel config. |
|
||
| **Email + API key** | `CLOUDFLARE_EMAIL` + `CLOUDFLARE_API_KEY` | Legacy/global key. Required for some older flows; Certbot can use this. |
|
||
|
||
You can set **both** in `.env`. Scripts that call the Cloudflare API will use the token if set, otherwise email + API key.
|
||
|
||
## 2. Which scripts use which
|
||
|
||
- **update-all-dns-to-public-ip.sh** – token first, else email+key
|
||
- **complete-chain138-rpc-setup.sh** – token or email+key (either is enough)
|
||
- **add-vmid2400-ingress.sh** – token first, else email+key
|
||
- **update-cloudflare-tunnel-config.sh** – token first, else email+key
|
||
- **create-dns-record-rpc-core.sh** – token first, else email+key
|
||
- **scripts/verify/export-cloudflare-dns-records.sh** – token first, else email+key
|
||
|
||
## 3. Certbot (Let's Encrypt DNS-01)
|
||
|
||
Certbot’s `dns-cloudflare` plugin accepts **one** method per credentials file: **either** API token **or** email + API key, not both in the same file.
|
||
|
||
- **Token-only file** (recommended):
|
||
`dns_cloudflare_api_token = YOUR_TOKEN`
|
||
- **Email + API key file**:
|
||
`dns_cloudflare_email = your@email`
|
||
`dns_cloudflare_api_key = YOUR_GLOBAL_API_KEY`
|
||
|
||
Scripts that build the Certbot credentials file (e.g. `obtain-all-ssl-certificates.sh`, `setup-letsencrypt-tunnel.sh`) will:
|
||
|
||
- If `CLOUDFLARE_API_TOKEN` is set → write a **token-only** credentials file.
|
||
- Else if `CLOUDFLARE_EMAIL` and `CLOUDFLARE_API_KEY` are set → write an **email+key** credentials file.
|
||
- Else → exit with an error asking you to set one of the two methods.
|
||
|
||
Example credential files are in `scripts/certbot/`:
|
||
|
||
- `cloudflare-credentials-token.example` – token-only (copy and set your token).
|
||
- `cloudflare-credentials-email-api-key.example` – email+key (copy and set email and key).
|
||
|
||
Use **one** of these as your Certbot Cloudflare credentials file (e.g. `~/.secrets/certbot/cloudflare.ini` or `/etc/cloudflare/credentials.ini` on the host that runs Certbot).
|
||
|
||
## 4. Summary
|
||
|
||
- **.env**: You can set both `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_EMAIL` / `CLOUDFLARE_API_KEY`.
|
||
- **Scripts**: They use token first, then email+key.
|
||
- **Certbot**: One method per credentials file (token-only **or** email+key-only).
|
||
- **Having both**: Keeps API/token auth for scripts and allows Certbot to use whichever method you put in its credentials file.
|