typisttech / trellis-cloudflare-origin-ca Goto Github PK

Hi, simple question. You have set the certificate days default value to 7. What happens when the certificate generated by this expires? Does it auto renew or do you have to reprovision the take again to generate a new one?

Many thanks

Hello,

I've used your package several times. Now when trying to reprovision a new server it is failing with the below. Any ideas? All my setup is correct as I have used your package before.

Many thanks,
Aaron

TASK [TypistTech.trellis-cloudflare-origin-ca : Add Cloudflare key] ************
fatal: [***********]: FAILED! => {"changed": false, "msg": "Failed to download key at https://pkg.cloudflare.com/pubkey.gpg: HTTP Error 404: Not Found"}

https://www.reddit.com/r/Monero/comments/73y93c/localmoneroco_uses_cloudflare_which_is_insecure/

• http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
• https://tyil.nl/articles/cloudflare.html

Trellis task named "Remove unmanaged files from includes.d" removes all cert configs on each server provisions. Very annoying.

Submit a feature request or bug report

• I've read the code of conduct
• This is a feature request
• This is a bug report
• This request isn't a duplicate of an existing issue
• I've read the project readme and followed them (if applicable)
• I've read the Trellis docs and followed them (if applicable)
• This is not a Trellis support request that should be posted on the Roots Discourse forums or Trellis' issue tracker
• This is not a Cloudflare support request that should be reported to Cloudflare support team

What is the current behavior?

When adding domains or changing the site_hosts the cloudflare_origin_ca doesn't get updated because {site_key}.pem already exists.
[FATAL] Certificate file "{site_key}.pem" already exists, use -overwrite to overwrite
This results in cloudflare not adding the origin ca to additional domains or updating the hostnames.

What is the expected or desired behavior?

I think this behavior should be documented and/or be resolved. A solution would be to allowing to overwrite the certificate file name or passing -overwrite using an argument.

Submit a feature request or bug report

• I've read the code of conduct
• This is a feature request
• This is a bug report
• This request isn't a duplicate of an existing issue
• I've read the project readme and followed them (if applicable)
• I've read the Trellis docs and followed them (if applicable)
• This is not a Trellis support request that should be posted on the Roots Discourse forums or Trellis' issue tracker
• This is not a Cloudflare support request that should be reported to Cloudflare support team

Replace any X with your information.

What is the current behavior?

400 Bad Request
No required SSL certificate was sent after running ansible-playbook server.yml -e env=staging -t cloudflare-origin-ca

Bug report

(delete this section if not applicable)

Please provide steps to reproduce, including full log output:

X Somehow nothing in nginx logs.

Please describe your local environment:

Ansible version: 2.5

OS: macOS 10.13.3

Vagrant version: n/a

Trellis commit: 9dfddfd

Where did the bug happen? Development or remote servers?

X Remote

Why don't you create a pull request to fix it?

X Not sure what causes the error

Other relevant information:

X Cloudflare has generated the Origin cert, and it seems client cert field has been updated in nginx config.

Hi,

I have started using Trellis recently and in the last couple of days, I see that my Cloudflare dashboard has about 4 origin certificates with the same domains in it.

Is it not possible that we create one origin certificate defining example.com and *.example.com from the dashboard and this plugin picks that instead of creating a new one every time?

I am not very clear about what exactly triggered the new certificates, it might be the creation of a new machine on Google Cloud. I have provisioned the server multiple times so higher chances are that creation of a new machine and then the first provision on that creates a new origin certificate.

Nonetheless, could you please shed some light on this matter. Does Cloudflare limit the number of origin certificates creation? And if by any chance referencing an old manually created certificate is possible, and if that would help.

All I see is 4 certificates on my dashboard which I will manually delete.

• days
• key-type
• key-size

I have multiple sites on one trellis, and some use different cloudflare accounts. When attempting to use a combination of manual and cloudflare it says that it can't find the domain (predictably) but, it shouldn't be trying to because i have those set to manual SSL.
What I've done for now is set all sites to manual, then it provisions successfully.

Another solution could be using multiple account keys and setting them for each site in wordpress_sites.yml or vault.yml
This could just be some weird edge case that nobody ever does though. :)

Prevent users using insecure settings