Launching cfbot — For Automated TLS Certificate Management using Cloudflare
Securing traffic for your web app is one of the most essential (and basic) things one needs to do when it comes to launching a web app to production. The standard for this is the SSL / TLS protocol. Using this one can secure the internet connection between 2 systems (generally the web client which is requesting data and the web server which is sending the requested data). SSL / TLS uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection.
This process of implementing SSL / TLS requires cryptographic certificates to be issued by a Certifying Authority (CA) which are then deployed in the web server to secure the requests. These certificates generally have an expiry (TTL) and once expired new certificates need to be issued and deployed. If implemented correctly your web app URL will show a secure symbol otherwise it will show as not secured.
There are a lot of products available in the market for you to implement and manage your web app’s SSL certificate lifecycle (both paid and open source). Let’s Encrypt is one of the most popular open source options run by a nonprofit body. Cloudflare (private) is another popular choice for DNS management and security and we have been using their services for almost 5 years now without any issues. They offer a free tier which suffices for our current requirements except for one thing — SSL certificates need to be manually rotated when they are about to expire.
If you are using Let’s Encrypt as your CA to issue certificates, there is a solution for this problem called certbot which automatically renews expiring certificates every 60 days or so. We wanted something similar for all our web apps where we are manually managing every aspect of how it is deployed and secured. Not having automation like this for cloudflare meant a lot of manual effort was being spent in tracking and administering something which ideally could be automated and still kept in our control. Worst thing is if someone forgets to renew the certificates on time then the app will see a downtime which is not desirable.
During one of our brainstorming sessions on this problem, one of our engineers (pavan) called out and exclaimed how difficult could this be and resolved that he will build something similar to certbot but for cloudflare, and decided to name it cfbot. I am a big fan of the open source community and at Syook we have always promoted giving back to the community whenever possible so we decided to make this an open source project so that others can also benefit from this. You can find the source code here (contributions welcome!) and the published package here. So let’s see cfbot in action now.
Before running cfbot make sure you have the Cloudflare Origin CA key handy which is going to be used to issue SSL certificates. It can be found under API keys in your cloudflare dashboard (https://dash.cloudflare.com/profile/api-tokens)
To begin with cfbot, you need to install it as a CLI app:
go get github.com/syook/cfbotRun the following init command to issue new certificates and setup a cron job which will automatically fetch new certificates and revoke the old ones just before expiry of those certificates. Following options need to be provided:
- Cloudflare Origin CA key / token
- the hostnames (comma separated) for which you want to issue SSL certificates eg ‘yoursite.com’ or if you want it for some subdomains ‘subdomain1.yoursite.com’ (in case of multi tenant apps)
- validity period (TTL) in days for which the certificates will be valid
- postRenewCommand (-p flag): a CLI command that can be used to trigger app reloads etc on receiving new certificates eg reload nginx so that it can use the new certificates or restart a docker container based on your deployment setup (we are using this to execute a bash script where we can do a lot more using the CLI)
- onErrorCommand (-e flag): a CLI command that can be used to trigger error notifications eg slack (we have setup a slack app and then use a bash script to curl the errors to a slack channel defined by the slack app)
sudo cfbot --init --auth <cloudflare CA token> --hostnames "*.example.com,example.com" --validity 7 -p <postRenewCommand (example: nginx -s reload)> -e <onErrorCommand (example: curl slack)>The issued SSL certificates will be saved in the following directory for you to use eg if using nginx you need this path to add to the port 443 block to apply the certificates to all the requests
/etc/cfbot/liveThat’s it. Your app is now secure and your SSL certificates will be automatically managed for the domains you have setup using cfbot.
Let me know if you found this helpful and if you have any ideas or suggestions for improvements do leave a comment here or in the github repo (github contributions are always welcome!)
