Soldato
Be gentle with me please... Windows is my normal domain!
I want to move from using http based challenges for issuing Let's Encrypt certificates to DNS. The domain for the cert's is now on a Cloudflare, so I can the API access methods from tools/scripts like Certbot or acme.sh to automate the DNS TXT record creation for validation.
There's assorted blogs using acme.sh eg
https://www.jamesridgway.co.uk/auto...d-key-lets-encrypt-cloudflare-dns-validation/
The acme.sh based guides ask for the Cloudflare API token to setup via export eg
As these values allow DNS manipulation (though you can obviously lock down the API token to certain tasks and source IPs), as a Linux numpty I was wondering how secure these values are once set (using export)?
The Certbot documentation does call it out (that looks use to a file for the credentials):
Thanks!
I want to move from using http based challenges for issuing Let's Encrypt certificates to DNS. The domain for the cert's is now on a Cloudflare, so I can the API access methods from tools/scripts like Certbot or acme.sh to automate the DNS TXT record creation for validation.
There's assorted blogs using acme.sh eg
https://www.jamesridgway.co.uk/auto...d-key-lets-encrypt-cloudflare-dns-validation/
The acme.sh based guides ask for the Cloudflare API token to setup via export eg
Code:
export CF_Token="xxxxx"
export CF_Account_ID="xxxxx"
export CF_Zone_ID="xxxxx"
As these values allow DNS manipulation (though you can obviously lock down the API token to certain tasks and source IPs), as a Linux numpty I was wondering how secure these values are once set (using export)?
The Certbot documentation does call it out (that looks use to a file for the credentials):
You should protect these API credentials as you would the password to your Cloudflare account. Users who can read this file can use these credentials to issue arbitrary API calls on your behalf. Users who can cause Certbot to run using these credentials can complete a dns-01 challenge to acquire new certificates or revoke existing certificates for associated domains, even if those domains aren’t being managed by this server.
Thanks!