TypistTech.trellis-cloudflare-origin-ca
Trellis Cloudflare Origin CA
Add Cloudflare Origin CA to Trellis as an SSL provider.
Built with ♥ by Typist Tech
Trellis Cloudflare Origin CA is a free and open-source project.
However, to keep improving and maintaining it, we need funding. If you can, please consider donating using the links below:
Add Cloudflare Origin CA to Trellis as an SSL provider.
Why?
Short answer: To keep connections between Cloudflare and your servers safe and private.
Long answer:
Cloudflare’s Flexible SSL mode protects traffic from browsers to Cloudflare but does not protect traffic between Cloudflare and your server. To secure this connection, you need to install an SSL certificate on your server.
From Cloudflare Blog: Origin Server Connection Security with Universal SSL
Why choose Cloudflare Origin CA over Let's Encrypt?
When using Let's Encrypt, you must temporarily disable Cloudflare, as it can interfere with the verification process. Cloudflare Origin CA avoids this hassle.
Benefits over other public certificates?
You can find more information about the advantages of Cloudflare Origin CA over public certificates here.
Role Variables
# group_vars/<environment>/vault.yml
# This file should be encrypted. See: https://roots.io/trellis/docs/vault/
##########################################################################
# Cloudflare Origin CA Key (different from Global API Key)
vault_cloudflare_origin_ca_key: v1.0-xxxxxxxxxxx
# group_vars/<environment>/main.yml
###################################
# Desired package state.
# `latest` ensures the latest version is installed.
# `present` will not update if already installed.
cfca_package_state: present
# Option to hide sensitive task results including Cloudflare Origin CA Key.
cloudflare_origin_ca_no_log: true
# group_vars/<environment>/wordpress_sites.yml
##############################################
wordpress_sites:
example.com:
# Your Cloudflare account must own these domains
site_hosts:
- canonical: example.com
redirects:
- hi.example.com
- hello.another-example.com
ssl:
# SSL must be enabled
enabled: true
# OCSP stapling must be disabled
stapling_enabled: false
# Use this role to generate Cloudflare Origin CA certificate
provider: cloudflare-origin-ca
# Optional settings
cloudflare_origin_ca:
# Validity of the issued certificate in days. Options: 7, 30, 90, 365 (1 year), 730 (2 years), 1095 (3 years), 5475 (15 years).
days: 7
# List of domain names for the certificate.
hostnames:
- example.com
- '*.example.com'
- '*.another-example.com'
Typist Tech is ready to help you build your next great WordPress site. Hire us!
Requirements
- Ansible 2.10 or later
- Trellis@c86d8a0 or later
- A Cloudflare account
- Ubuntu 18.04 (Bionic) or 20.04 (Focal)
Installation
Add this role to galaxy.yml:
- src: TypistTech.trellis-cloudflare-origin-ca # Case-sensitive!
version: 0.8.0 # Check for the latest version!
Run $ trellis galaxy install
Modifying Trellis' Playbook
Add this role to server.yml right after role: wordpress-setup:
roles:
# ...
- - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
+ - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt, cloudflare-origin-ca] }
+ - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca, wordpress-setup], when: sites_using_cloudflare_origin_ca | count }
# ...
Note: role: wordpress-setup is connected with cloudflare-origin-ca.
Nginx Configuration
This role creates a configuration file for Nginx under {{ nginx_path }}/includes.d/{{ item.key }}/cloudflare-origin-ca.conf. Trellis includes this by default, so no extra action is needed.
If you use Nginx child templates, add this line in your server blocks:
include includes.d/{{ item.key }}/cloudflare-origin-ca.conf;
Common Errors
No site using Cloudflare Origin CA
Don't run this if you aren't using Cloudflare Origin CA.
vault_cloudflare_origin_ca_key is not defined
Encrypt your Cloudflare Origin CA Key in group_vars/<environment>/vault.yml.
OCSP Stapling is enabled
Cloudflare Origin CA does not support OCSP stapling. Disable it for all sites using Cloudflare Origin CA.
key_type and key_size are deprecated
Remove these settings to avoid issues. This role only generates 521-bit ECDSA keys.
Nginx directories not included
Ensure you're using roots/trellis@f2b8107 or later.
400 Bad Request - No SSL certificate sent
Symptoms might include server errors and Nginx logging related to missing SSL certificates. Check your Authenticated Origin Pulls settings.
FAQ
Why only 521-bit ECDSA keys?
ECDSA offers strong security with lower resource needs. More info here.
Why is Cloudflare Origin CA key logged?
The no_log attribute doesn't prevent data from showing when Ansible is debugged.
Is Cloudflare Origin CA perfect?
Check out discussions about its security and reliability here.
Where can I find more resources?
- Articles on Typist Tech's blog
- Tang Rufus' WordPress plugins
- Other projects on Typist Tech's GitHub
- Subscribe to Typist Tech's newsletter
- Follow Tang Rufus on Twitter
How to leave a review?
We appreciate your feedback! Consider:
- Tweeting your thoughts, tagging @TangRufus
- ★ star the Github repo
- 👀 watch the GitHub repo
- Write tutorials or blog posts
- Hire Typist Tech
See Also
Running Tests
To run tests:
ansible-playbook -vvv -i 'localhost,' --syntax-check tests/test.yml
ansible-lint -vv .
Feedback
We want your input! Please submit issues or propose changes to help improve this project. No feedback is too small.
Security Vulnerabilities
For any security concerns, please email us at [email protected].
Credits
Trellis Cloudflare Origin CA is maintained by Typist Tech and Tang Rufus, a freelance developer available for hire.
Thanks to the Roots team for their support in making this project possible.
License
This project is released under the MIT License.
Add Cloudflare Origin CA to Trellis as a SSL provider
ansible-galaxy install TypistTech.trellis-cloudflare-origin-ca