This page is pulled from project's readme. Links could be broken.

Ansible Role Build Status GitHub tag license Donate via PayPal Hire Typist Tech

Add Cloudflare Origin CA to Trellis as a SSL provider

Requirements

Installation

Add this role to requirements.yml:

- src: TypistTech.trellis-cloudflare-origin-ca # Case-sensitive!
  version: 0.6.0 # Check for latest version!

Run $ ansible-galaxy install -r requirements.yml to install this new role.

Role Variables

# group_vars/<environment>/vault.yml
# This file should be encrypted. See: https://roots.io/trellis/docs/vault/
##########################################################################

# Cloudflare Origin CA Key
# Not to confuse with Cloudflare Global API Key
# See: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#iiobtainyourcertificateapitoken
vault_cloudflare_origin_ca_key: v1.0-xxxxxxxxxxx

# group_vars/<environment>/main.yml
###################################

# Indicates the desired package state.
# `latest` ensures that the latest version is installed.
# `present` does not update if already installed.
# Choices: present|latest
# Default: latest
cfca_package_state: present

# Whether to hide results of sensitive tasks which
# may include Cloudflare Origin CA Key in plain text.
# Choices: true|false
# Default: false
cloudflare_origin_ca_no_log: true

# group_vars/<environment>/wordpress_sites.yml
##############################################

wordpress_sites:
  example.com:
    # Your Cloudflare account must own all these domains
    site_hosts:
      - canonical: example.com
        redirects:
          - hi.example.com
          - hello.another-example.com
    ssl:
      # SSL must be enabled
      enabled: true
      # OCSP stapling must be disabled
      stapling_enabled: false
      # Use this role to generate Cloudflare Origin CA certificate
      provider: cloudflare-origin-ca
    # The followings are optional
    cloudflare_origin_ca:
      # Number of days for which the issued cert will be valid. Acceptable options are: 7, 30, 90, 365 (1y), 730 (2y), 1095 (3y), 5475 (15y).
      # Default: 5475
      days: 7
      # List of fully-qualified domain names to include on the certificate as Subject Alternative Names.
      # Default: All canonical and redirect domains
      # In the above example: example.com, hi.example.com, hello.another-example.com
      hostnames:
        - example.com
        - '*.example.com'
        - '*.another-example.com'
      # Key size in bits to use for the generated key pair (Acceptable sizes: rsa: 2048|3072|4096, ecdsa: 256|384|521)
      # Default: 256
      key_size: 3072
      # Type of key pair to generate, either RSA or ECDSA. (rsa|ecdsa)
      # Default: ecdsa
      key_type: rsa

Hacking Trellis' Playbook

Add this role to server.yml immediately after role: wordpress-setup:

roles:
    # Some other Trellis roles ...
    - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt, cloudflare-origin-ca] }
    - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca, wordpress-setup], when: sites_using_cloudflare_origin_ca | count }
    # Some other Trellis roles ...

Note: role: wordpress-setup is tagged with cloudflare-origin-ca.

Nginx Includes

This role templates Nginx SSL directives out to {{ nginx_path }}/includes.d/{{ item.key }}/cloudflare-origin-ca.conf. Trellis includes this file here and here by default, no action needed.

If you using Nginx child templates, add this line into your server blocks:

include includes.d/{{ item.key }}/cloudflare-origin-ca.conf;

Common Errors

No site is using Cloudflare Origin CA

Obviously, you should not run this role when you don't use Cloudflare Origin CA.

vault_cloudflare_origin_ca_key is not defined

Encrypt your Cloudflare Origin CA Key in group_vars/<environment>/vault.yml. See role variables.

example.com is using Cloudflare Origin CA but OCSP stapling is enabled

... you're trying to staple OCSP responses with Origin CA. Right now OCSP is not supported with Origin CA, so you should remove the ssl_staping directive for the host that you're using the Origin CA cert on...

--- Cloudflare Support

Cloudflare Origin CA doesn't support OCSP stapling. Disable OCSP stapling for all sites using Cloudflare Origin CA. See role variables.

Nginx directories not included

Make sure you have roots/[email protected] or later.

400 Bad Request - No required SSL certificate was sent

Symptoms: * Server returns "400 Bad Request - No required SSL certificate was sent" for all requests * Nginx logged "client sent no required SSL certificate while reading client request headers, client: [redacted], server:[redacted], request: "GET / HTTP/1.1", host: "[redacted]"" * ssl_verify_client on; somewhere in Nginx config files * Using client_cert_url in wordpress_sites.yml, i.e: roots/trellis#869

Culprit:

Your Authenticated Origin Pulls configuration is incorrect.

Fact:

This role has nothing to do with Authenticated Origin Pulls or ssl_verify_client.

Solution: 1. Read Introducing Cloudflare Origin CA 1. Read Authenticated Origin Pulls 1. Understand this role is Cloudflare Origin CA 1. Understand Cloudflare Origin CA and Authenticated Origin Pulls are 2 different things 1. Read #34 1. Contact Cloudflare support if you still have questions

FAQ

Why use Cloudflare Origin CA?

Short answer: To keep connection between Cloudflare and your severs private and secure from tampering.

Long answer:

Cloudflare’s Flexible SSL mode is the default for Cloudflare sites on the Free plan. Flexible SSL mode means that traffic from browsers to Cloudflare will be encrypted, but traffic from Cloudflare to a site's origin server will not be. To take advantage of our Full and Strict SSL mode—which encrypts the connection between Cloudflare and the origin server—it’s necessary to install a certificate on the origin server.

Cloudflare Blog - Origin Server Connection Security with Universal SS

What are the benefits of Cloudflare Origin CA over Let's Encrypt?

To get certificates from Let's Encrypt, you have to first disable Cloudflare because Cloudflare hides actual server IPs and make Let's Encrypt challenges fail. Using Cloudflare Origin CA simplify the troubles.

What are the benefits of Cloudflare Origin CA over other public certificates?

See Introducing Cloudflare Origin CA on Cloudflare blog.

Why use 256-bit ECDSA key as default?

I assume you would like to setup Authenticated Origin Pulls with Cloudflare. I would recommend ECDSA, as elliptic curves provide the same security with less computational overhead.

Find out more about ECDSA: The digital signature algorithm of a better internet The above article also mentioned that: According to the ECRYPT II recommendations on key length, a 256-bit elliptic curve key provides as much protection as a 3,248-bit asymmetric key.Typical RSA keys in website certificates are 2048-bits. So, I think going with 256-bits ECDSA will be a good choice.

--- Cloudflare Support

If you insist to use RSA keys, make sure you set key_size to at least 2048.

Why Cloudflare Origin CA key is logged even cloudflare_origin_ca_no_log is true?

Note that the use of the no_log attribute does not prevent data from being shown when debugging Ansible itself via the ANSIBLE_DEBUG environment variable.

--- Ansible Docs

Does Cloudflare Origin CA perfect?

It looks awesome. Where can I find some more goodies like this?

See Also

Support!

Donate via PayPal Donate via PayPal

Love Trellis Cloudflare Origin CA? Help me maintain it, a donation here can help with it.

Why don't you hire me?

Ready to take freelance WordPress jobs. Contact me via the contact form here or, via email [email protected]

Want to help in other way? Want to be a sponsor?

Contact: Tang Rufus

Feedback

Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change log

Please see CHANGELOG for more information on what has changed recently.

Author Information

Trellis Cloudflare Origin CA is a Typist Tech project and maintained by Tang Rufus, freelance developer for hire.

Special thanks to the Roots team whose Trellis make this project possible.

Full list of contributors can be found here.

Contributing

Please see CODE_OF_CONDUCT for details.

License

Trellis Cloudflare Origin CA is released under the MIT License.