Add Cloudflare Origin CA to Trellis as a SSL provider.
Built with ♥ by Typist Tech
Trellis Cloudflare Origin CA is an open source project and completely free to use.
However, the amount of effort needed to maintain and develop new features is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below:
Add Cloudflare Origin CA to Trellis as a SSL provider
Short answer: To keep connection between Cloudflare and your severs private and secure from tampering.
Long answer:
Cloudflare’s Flexible SSL mode is the default for Cloudflare sites on the Free plan. Flexible SSL mode means that traffic from browsers to Cloudflare will be encrypted, but traffic from Cloudflare to a site's origin server will not be. To take advantage of our Full and Strict SSL mode—which encrypts the connection between Cloudflare and the origin server—it’s necessary to install a certificate on the origin server.
Cloudflare Blog - Origin Server Connection Security with Universal SSL
To get certificates from Let's Encrypt, you have to first disable Cloudflare because Cloudflare hides actual server IPs and make Let's Encrypt challenges fail. Using Cloudflare Origin CA simplifies the troubles.
See Introducing Cloudflare Origin CA on Cloudflare blog.
# group_vars/<environment>/vault.yml
# This file should be encrypted. See: https://roots.io/trellis/docs/vault/
##########################################################################
# Cloudflare Origin CA Key
# Not to confuse with Cloudflare Global API Key
# See: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#iiobtainyourcertificateapitoken
vault_cloudflare_origin_ca_key: v1.0-xxxxxxxxxxx
# group_vars/<environment>/main.yml
###################################
# Indicates the desired package state.
# `latest` ensures that the latest version is installed.
# `present` does not update if already installed.
# Choices: present|latest
# Default: latest
cfca_package_state: present
# Whether to hide results of sensitive tasks which
# may include Cloudflare Origin CA Key in plain text.
# Choices: true|false
# Default: false
cloudflare_origin_ca_no_log: true
# group_vars/<environment>/wordpress_sites.yml
##############################################
wordpress_sites:
example.com:
# Your Cloudflare account must own all these domains
site_hosts:
- canonical: example.com
redirects:
- hi.example.com
- hello.another-example.com
ssl:
# SSL must be enabled
enabled: true
# OCSP stapling must be disabled
stapling_enabled: false
# Use this role to generate Cloudflare Origin CA certificate
provider: cloudflare-origin-ca
# The followings are optional
cloudflare_origin_ca:
# Number of days for which the issued cert will be valid. Acceptable options are: 7, 30, 90, 365 (1y), 730 (2y), 1095 (3y), 5475 (15y).
# Default: 5475
days: 7
# List of fully-qualified domain names to include on the certificate as Subject Alternative Names.
# Default: All canonical and redirect domains
# In the above example: example.com, hi.example.com, hello.another-example.com
hostnames:
- example.com
- '*.example.com'
- '*.another-example.com'
Typist Tech is ready to build your next awesome WordPress site. Hire us!
- Ansible 2.10 or later
- Trellis@c86d8a0 or later
- Cloudflare account
- Ubuntu 18.04 (Bionic) or 20.04 (Focal)
Add this role to galaxy.yml
:
- src: TypistTech.trellis-cloudflare-origin-ca # Case-sensitive!
version: 0.8.0 # Check for latest version!
Run $ trellis galaxy install
Add this role to server.yml
immediately after role: wordpress-setup
:
roles:
# ...
- - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
+ - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt, cloudflare-origin-ca] }
+ - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca, wordpress-setup], when: sites_using_cloudflare_origin_ca | count }
# ...
Note: role: wordpress-setup
is tagged with cloudflare-origin-ca
.
This role templates Nginx SSL directives out to {{ nginx_path }}/includes.d/{{ item.key }}/cloudflare-origin-ca.conf
. Trellis includes this file here and here by default, no action needed.
If you using Nginx child templates, add this line into your server blocks:
include includes.d/{{ item.key }}/cloudflare-origin-ca.conf;
Obviously, you should not run this role when you don't use Cloudflare Origin CA.
Encrypt your Cloudflare Origin CA Key in group_vars/<environment>/vault.yml
. See role variables.
... you're trying to staple OCSP responses with Origin CA. Right now OCSP is not supported with Origin CA, so you should remove the ssl_staping directive for the host that you're using the Origin CA cert on...
--- Cloudflare Support
Cloudflare Origin CA doesn't support OCSP stapling. Disable OCSP stapling for all sites using Cloudflare Origin CA. See role variables.
To avoid misconfiguration, the key_type
(ECDSA or RSA) and key_size
(bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.
If you had previsously generated CA certificates with other configurations:
- remove the CA certificates from servers
- revoke the CA certificates via Cloudflare dashboard
- re-provision the servers
To avoid misconfiguration, the key_type
(ECDSA or RSA) and key_size
(bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.
If you had previsously generated CA certificates with other configurations:
- remove the CA certificates from servers
- revoke the CA certificates via Cloudflare dashboard
- re-provision the servers
Make sure you have roots/trellis@f2b8107 or later.
Symptoms:
- Server returns "400 Bad Request - No required SSL certificate was sent" for all requests
- Nginx logged "client sent no required SSL certificate while reading client request headers, client: [redacted], server:[redacted], request: "GET / HTTP/1.1", host: "[redacted]""
ssl_verify_client on;
somewhere in Nginx config files- Using
client_cert_url
inwordpress_sites.yml
, i.e: roots/trellis#869
Culprit:
Your Authenticated Origin Pulls configuration is incorrect.
Fact:
This role has nothing to do with Authenticated Origin Pulls or ssl_verify_client
.
Solution:
- Read Introducing Cloudflare Origin CA
- Read Authenticated Origin Pulls
- Understand this role is Cloudflare Origin CA
- Understand Cloudflare Origin CA and Authenticated Origin Pulls are 2 different things
- Read #34
- Contact Cloudflare support if you still have questions
I assume you would like to setup Authenticated Origin Pulls with Cloudflare. I would recommend ECDSA, as elliptic curves provide the same security with less computational overhead.
Find out more about ECDSA: The digital signature algorithm of a better internet The above article also mentioned that: According to the ECRYPT II recommendations on key length, a 256-bit elliptic curve key provides as much protection as a 3,248-bit asymmetric key.Typical RSA keys in website certificates are 2048-bits. So, I think going with 256-bits ECDSA will be a good choice.
--- Cloudflare Support, September 2017
To avoid misconfiguration, the key_type
(ECDSA or RSA) and key_size
(bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.
If you had previsously generated CA certificates with other configurations:
- remove the CA certificates from servers
- revoke the CA certificates via Cloudflare dashboard
- re-provision the servers
Note that the use of the
no_log
attribute does not prevent data from being shown when debugging Ansible itself via theANSIBLE_DEBUG
environment variable.--- Ansible Docs
- Articles on Typist Tech's blog
- Tang Rufus' WordPress plugins on wp.org
- More projects on Typist Tech's GitHub profile
- Stay tuned on Typist Tech's newsletter
- Follow Tang Rufus' Twitter account
- Hire Tang Rufus to build your next awesome site
Thanks! Glad you like it. It's important to let me knows somebody is using this project. Please consider:
- tweet something good with mentioning @TangRufus
- ★ star the Github repo
- 👀 watch the Github repo
- write tutorials and blog posts
- hire Typist Tech
- WP Cloudflare Guard - Connecting WordPress with Cloudflare firewall, protect your WordPress site at DNS level. Automatically create firewall rules to block dangerous IPs
- The Root of Trellis Cloudflare Origin CA
- The Origin of Trellis Cloudflare Origin CA
- Cloudflare Origin CA
- Trellis SSL
- Trellis Nginx Includes
- Ansible Vault
Run the tests:
ansible-playbook -vvv -i 'localhost,' --syntax-check tests/test.yml
ansible-lint -vv .
Please provide feedback! We want to make this project as useful as possible. Please submit an issue and point out what you do and don't like, or fork the project and send pull requests. No issue is too small.
If you discover a security vulnerability within this project, please email us at [email protected]. All security vulnerabilities will be promptly addressed.
Trellis Cloudflare Origin CA is a Typist Tech project and maintained by Tang Rufus, freelance developer for hire.
Special thanks to the Roots team whose Trellis make this project possible.
Full list of contributors can be found here.
Trellis Cloudflare Origin CA is released under the MIT License.