{"id":13548640,"url":"https://github.com/typisttech/trellis-cloudflare-origin-ca","last_synced_at":"2025-04-22T19:56:56.734Z","repository":{"id":48082783,"uuid":"101776073","full_name":"typisttech/trellis-cloudflare-origin-ca","owner":"typisttech","description":"Add Cloudflare Origin CA to Trellis as a SSL provider","archived":false,"fork":false,"pushed_at":"2022-08-17T14:56:11.000Z","size":120,"stargazers_count":36,"open_issues_count":5,"forks_count":8,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-29T18:17:03.369Z","etag":null,"topics":["ansible","ansible-galaxy","cloudflare","https","nginx","ssl","trellis","wordpress","wordpress-deployment"],"latest_commit_sha":null,"homepage":"https://www.typist.tech/projects/trellis-cloudflare-origin-ca","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/typisttech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-29T15:21:31.000Z","updated_at":"2024-09-28T06:19:46.000Z","dependencies_parsed_at":"2022-08-12T18:10:56.994Z","dependency_job_id":null,"html_url":"https://github.com/typisttech/trellis-cloudflare-origin-ca","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/typisttech%2Ftrellis-cloudflare-origin-ca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/typisttech%2Ftrellis-cloudflare-origin-ca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/typisttech%2Ftrellis-cloudflare-origin-ca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/typisttech%2Ftrellis-cloudflare-origin-ca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/typisttech","download_url":"https://codeload.github.com/typisttech/trellis-cloudflare-origin-ca/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250315646,"owners_count":21410473,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-galaxy","cloudflare","https","nginx","ssl","trellis","wordpress","wordpress-deployment"],"created_at":"2024-08-01T12:01:12.752Z","updated_at":"2025-04-22T19:56:56.707Z","avatar_url":"https://github.com/typisttech.png","language":"Jinja","funding_links":["https://github.com/sponsors/TangRufus"],"categories":["Jinja"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# Trellis Cloudflare Origin CA\n\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Ansible Role](https://img.shields.io/ansible/role/20120?style=flat-square)](https://galaxy.ansible.com/TypistTech/trellis-cloudflare-origin-ca/)\n[![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/TypistTech/trellis-cloudflare-origin-ca?style=flat-square)](https://galaxy.ansible.com/TypistTech/trellis-cloudflare-origin-ca/)\n[![Ansible Role Downloads](https://img.shields.io/ansible/role/d/20120?style=flat-square)](https://galaxy.ansible.com/TypistTech/trellis-cloudflare-origin-ca/)\n[![Ansible Quality Score](https://img.shields.io/ansible/quality/20120?style=flat-square)](https://galaxy.ansible.com/TypistTech/trellis-cloudflare-origin-ca/)\n[![CircleCI](https://img.shields.io/circleci/build/gh/TypistTech/trellis-cloudflare-origin-ca?style=flat-square)](https://circleci.com/gh/TypistTech/trellis-cloudflare-origin-ca)\n[![License](https://img.shields.io/github/license/TypistTech/trellis-cloudflare-origin-ca.svg?style=flat-square)](https://github.com/TypistTech/trellis-cloudflare-origin-ca/blob/master/LICENSE)\n[![Twitter Follow @TangRufus](https://img.shields.io/twitter/follow/TangRufus?style=flat-square\u0026color=1da1f2\u0026logo=twitter)](https://twitter.com/tangrufus)\n[![Hire Typist Tech](https://img.shields.io/badge/Hire-Typist%20Tech-ff69b4.svg?style=flat-square)](https://www.typist.tech/contact/)\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eAdd Cloudflare Origin CA to Trellis as a SSL provider.\u003c/strong\u003e\n  \u003cbr /\u003e\n  \u003cbr /\u003e\n  Built with ♥ by \u003ca href=\"https://www.typist.tech/\"\u003eTypist Tech\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n**Trellis Cloudflare Origin CA** is an open source project and completely free to use.\n\nHowever, the amount of effort needed to maintain and develop new features is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below:\n\n\u003cdiv align=\"center\"\u003e\n\n[![GitHub via Sponsor](https://img.shields.io/badge/Sponsor-GitHub-ea4aaa?style=flat-square\u0026logo=github)](https://github.com/sponsors/TangRufus)\n[![Sponsor via PayPal](https://img.shields.io/badge/Sponsor-PayPal-blue.svg?style=flat-square\u0026logo=paypal)](https://typist.tech/go/paypal-donate/)\n[![More Sponsorship Information](https://img.shields.io/badge/Sponsor-More%20Details-ff69b4?style=flat-square)](https://typist.tech/donate/trellis-cloudflare-origin-ca/)\n\n\u003c/div\u003e\n\n---\n\nAdd [Cloudflare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/) to [Trellis](https://github.com/roots/trellis) as a [SSL provider](https://roots.io/trellis/docs/ssl/)\n\n## Why?\n\nShort answer: To keep connection between Cloudflare and your severs private and secure from tampering.\n\nLong answer:\n\u003e Cloudflare’s Flexible SSL mode is the default for Cloudflare sites on the Free plan. Flexible SSL mode means that traffic from browsers to Cloudflare will be encrypted, but traffic from Cloudflare to a site's origin server will not be. To take advantage of our [Full and Strict SSL](https://www.cloudflare.com/ssl) mode—which encrypts the connection between Cloudflare and the origin server—it’s necessary to install a certificate on the origin server.\n\u003e\n\u003e Cloudflare Blog - [Origin Server Connection Security with Universal SSL](https://blog.cloudflare.com/origin-server-connection-security-with-universal-ssl/)\n\n### What are the benefits of Cloudflare Origin CA over Let's Encrypt?\n\nTo get certificates from [Let's Encrypt](https://letsencrypt.org/), you have to first disable Cloudflare because Cloudflare hides actual server IPs and make Let's Encrypt challenges fail. Using Cloudflare Origin CA simplifies the troubles.\n\n### What are the benefits of Cloudflare Origin CA over other public certificates?\n\nSee [Introducing Cloudflare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#whataretheincrementalbenefitsoforigincaoverpubliccertificates) on Cloudflare blog.\n\n## Role Variables\n\n```yaml\n# group_vars/\u003cenvironment\u003e/vault.yml\n# This file should be encrypted. See: https://roots.io/trellis/docs/vault/\n##########################################################################\n\n# Cloudflare Origin CA Key\n# Not to confuse with Cloudflare Global API Key\n# See: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#iiobtainyourcertificateapitoken\nvault_cloudflare_origin_ca_key: v1.0-xxxxxxxxxxx\n\n# group_vars/\u003cenvironment\u003e/main.yml\n###################################\n\n# Indicates the desired package state.\n# `latest` ensures that the latest version is installed.\n# `present` does not update if already installed.\n# Choices: present|latest\n# Default: latest\ncfca_package_state: present\n\n# Whether to hide results of sensitive tasks which\n# may include Cloudflare Origin CA Key in plain text.\n# Choices: true|false\n# Default: false\ncloudflare_origin_ca_no_log: true\n\n# group_vars/\u003cenvironment\u003e/wordpress_sites.yml\n##############################################\n\nwordpress_sites:\n  example.com:\n    # Your Cloudflare account must own all these domains\n    site_hosts:\n      - canonical: example.com\n        redirects:\n          - hi.example.com\n          - hello.another-example.com\n    ssl:\n      # SSL must be enabled\n      enabled: true\n      # OCSP stapling must be disabled\n      stapling_enabled: false\n      # Use this role to generate Cloudflare Origin CA certificate\n      provider: cloudflare-origin-ca\n    # The followings are optional\n    cloudflare_origin_ca:\n      # Number of days for which the issued cert will be valid. Acceptable options are: 7, 30, 90, 365 (1y), 730 (2y), 1095 (3y), 5475 (15y).\n      # Default: 5475\n      days: 7\n      # List of fully-qualified domain names to include on the certificate as Subject Alternative Names.\n      # Default: All canonical and redirect domains\n      # In the above example: example.com, hi.example.com, hello.another-example.com\n      hostnames:\n        - example.com\n        - '*.example.com'\n        - '*.another-example.com'\n```\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eTypist Tech is ready to build your next awesome WordPress site. \u003ca href=\"https://typist.tech/contact/\"\u003eHire us!\u003c/a\u003e\u003c/strong\u003e\n\u003c/p\u003e\n\n---\n\n## Requirements\n\n* [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) 2.10 or later\n* [Trellis@c86d8a0](https://github.com/roots/trellis/commit/c86d8a042da811e89aa7fdda08159dc86f65be77) or later\n* [Cloudflare](https://www.cloudflare.com/) account\n* Ubuntu 18.04 (Bionic) or 20.04 (Focal)\n\n## Installation\n\nAdd this role to `galaxy.yml`:\n\n```yaml\n- src: TypistTech.trellis-cloudflare-origin-ca # Case-sensitive!\n  version: 0.8.0 # Check for latest version!\n```\n\nRun `$ trellis galaxy install`\n\n## Hacking Trellis' Playbook\n\nAdd this role to `server.yml` **immediately after** `role: wordpress-setup`:\n\n```diff\n    roles:\n      # ...\n-     - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }\n+     - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt, cloudflare-origin-ca] }\n+     - { role: TypistTech.trellis-cloudflare-origin-ca, tags: [cloudflare-origin-ca, wordpress-setup], when: sites_using_cloudflare_origin_ca | count }\n      # ...\n```\n\nNote: `role: wordpress-setup` is tagged with `cloudflare-origin-ca`.\n\n## Nginx Includes\n\nThis role templates Nginx SSL directives out to `{{ nginx_path }}/includes.d/{{ item.key }}/cloudflare-origin-ca.conf`. Trellis includes this file [here](https://github.com/roots/trellis/blob/4cd1be12a8cfacf78af3a9a1302bea153f80e459/roles/wordpress-setup/templates/wordpress-site.conf.j2#L106) and [here](https://github.com/roots/trellis/pull/879/files) by default, no action needed.\n\nIf you using [Nginx child templates](https://roots.io/trellis/docs/nginx-includes/#child-templates), add this line into your server blocks:\n```\ninclude includes.d/{{ item.key }}/cloudflare-origin-ca.conf;\n```\n\n## Common Errors\n\n### No site is using Cloudflare Origin CA\n\nObviously, you should not run this role when you don't use Cloudflare Origin CA.\n\n### `vault_cloudflare_origin_ca_key` is not defined\n\nEncrypt your Cloudflare Origin CA Key in `group_vars/\u003cenvironment\u003e/vault.yml`. See [role variables](#role-variables).\n\n### `example.com` is using Cloudflare Origin CA but OCSP stapling is enabled\n\n\u003e ... you're trying to staple OCSP responses with Origin CA. Right now OCSP is not supported with Origin CA, so you should remove the ssl_staping directive for the host that you're using the Origin CA cert on...\n\u003e\n\u003e --- Cloudflare Support\n\nCloudflare Origin CA doesn't support OCSP stapling. Disable OCSP stapling for all sites using Cloudflare Origin CA. See [role variables](#role-variables).\n\n### `key_type` is deprecated. Please remove it from `example.com`\n\nTo avoid misconfiguration, the `key_type` (ECDSA or RSA) and `key_size` (bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.\n\nIf you had previsously generated CA certificates with other configurations:\n1. remove the CA certificates from servers\n1. revoke the CA certificates via Cloudflare dashboard\n1. re-provision the servers\n\n### `key_size` is deprecated. Please remove it from `example.com`\n\nTo avoid misconfiguration, the `key_type` (ECDSA or RSA) and `key_size` (bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.\n\nIf you had previsously generated CA certificates with other configurations:\n1. remove the CA certificates from servers\n1. revoke the CA certificates via Cloudflare dashboard\n1. re-provision the servers\n\n### Nginx directories not included\n\nMake sure you have [roots/trellis@f2b8107](https://github.com/roots/trellis/commit/f2b81074c83475837e544a8aa5c3e909e760aa8a) or later.\n\n### 400 Bad Request - No required SSL certificate was sent\n\nSymptoms:\n* Server returns \"400 Bad Request - No required SSL certificate was sent\" for all requests\n* Nginx logged \"client sent no required SSL certificate while reading client request headers, client: [redacted], server:[redacted], request: \"GET / HTTP/1.1\", host: \"[redacted]\"\"\n* `ssl_verify_client on;` somewhere in Nginx config files\n* Using `client_cert_url` in `wordpress_sites.yml`, i.e: [roots/trellis#869](https://github.com/roots/trellis/pull/869)\n\nCulprit:\n\nYour [Authenticated Origin Pulls](https://support.cloudflare.com/hc/en-us/articles/204899617) configuration is incorrect.\n\nFact:\n\nThis role has nothing to do with Authenticated Origin Pulls or `ssl_verify_client`.\n\nSolution:\n1. Read [Introducing Cloudflare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/#whataretheincrementalbenefitsoforigincaoverpubliccertificates)\n1. Read [Authenticated Origin Pulls](https://support.cloudflare.com/hc/en-us/articles/204899617)\n1. Understand this role is Cloudflare Origin CA\n1. Understand Cloudflare Origin CA and Authenticated Origin Pulls are 2 different things\n1. Read [#34](https://github.com/TypistTech/trellis-cloudflare-origin-ca/issues/3)\n1. Contact Cloudflare support if you still have questions\n\n## FAQ\n\n### Why only 521-bit ECDSA keys allowed?\n\n\u003eI assume you would like to setup [Authenticated Origin Pulls](https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls) with Cloudflare. I would recommend ECDSA, as elliptic curves provide the same security with less computational overhead.\n\u003e\n\u003eFind out more about [ECDSA: The digital signature algorithm of a better internet](https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/)\n\u003eThe above article also mentioned that: According to the [ECRYPT II recommendations](http://www.keylength.com/en/3/) on key length, a 256-bit elliptic curve key provides as much protection as a 3,248-bit asymmetric key.Typical RSA keys in website certificates are 2048-bits. So, I think going with 256-bits ECDSA will be a good choice.\n\u003e\n\u003e --- Cloudflare Support, September 2017\n\nTo avoid misconfiguration, the `key_type` (ECDSA or RSA) and `key_size` (bits) options are deprecated. Since v0.8, this role generates 521-bit ECDSA keys only.\n\nIf you had previsously generated CA certificates with other configurations:\n1. remove the CA certificates from servers\n1. revoke the CA certificates via Cloudflare dashboard\n1. re-provision the servers\n\n### Why Cloudflare Origin CA key is logged even `cloudflare_origin_ca_no_log` is `true`?\n\n\u003e Note that the use of the `no_log` attribute does not prevent data from being shown when debugging Ansible itself via the `ANSIBLE_DEBUG` environment variable.\n\u003e\n\u003e --- [Ansible Docs](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook)\n\n### Does Cloudflare Origin CA perfect?\n\n* [Reddit discussion](https://www.reddit.com/r/Monero/comments/73y93c/localmoneroco_uses_cloudflare_which_is_insecure/)\n* [Cloudflare, We Have A Problem](http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/)\n* [On Cloudflare](https://www.tyil.nl/post/2017/12/17/on-cloudflare/)\n\n### It looks awesome. Where can I find some more goodies like this\n\n- Articles on [Typist Tech's blog](https://typist.tech)\n- [Tang Rufus' WordPress plugins](https://profiles.wordpress.org/tangrufus#content-plugins) on wp.org\n- More projects on [Typist Tech's GitHub profile](https://github.com/TypistTech)\n- Stay tuned on [Typist Tech's newsletter](https://typist.tech/go/newsletter)\n- Follow [Tang Rufus' Twitter account](https://twitter.com/TangRufus)\n- **Hire [Tang Rufus](https://typist.tech/contact) to build your next awesome site**\n\n### Where can I give 5-star reviews?\n\nThanks! Glad you like it. It's important to let me knows somebody is using this project. Please consider:\n\n- [tweet](https://twitter.com/intent/tweet?url=https%3A%2F%2Fgithub.com%2FTypistTech%2Ftrellis-cloudflare-origin-ca\u0026via=tangrufus\u0026text=Add%20@Cloudflare%20Origin%20CA%20to%20%23Trellis%20as%20SSL%20provider%20\u0026hashtags=wordpress) something good with mentioning [@TangRufus](https://twitter.com/tangrufus)\n- ★ star [the Github repo](https://github.com/TypistTech/trellis-cloudflare-origin-ca)\n- [👀 watch](https://github.com/TypistTech/trellis-cloudflare-origin-ca/subscription) the Github repo\n- write tutorials and blog posts\n- **[hire](https://www.typist.tech/contact/) Typist Tech**\n\n## See Also\n\n* [WP Cloudflare Guard](https://wordpress.org/plugins/wp-cloudflare-guard/) - Connecting WordPress with Cloudflare firewall, protect your WordPress site at DNS level. Automatically create firewall rules to block dangerous IPs\n* The [Root](https://github.com/roots/trellis/issues/868) of Trellis Cloudflare Origin CA\n* The [Origin](https://github.com/roots/trellis/pull/870) of Trellis Cloudflare Origin CA\n* [Cloudflare Origin CA](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/)\n* [Trellis SSL](https://roots.io/trellis/docs/ssl/)\n* [Trellis Nginx Includes](https://roots.io/trellis/docs/nginx-includes/)\n* [Ansible Vault](https://roots.io/trellis/docs/vault/)\n\n## Running the Tests\n\nRun the tests:\n\n```bash\nansible-playbook -vvv -i 'localhost,' --syntax-check tests/test.yml\nansible-lint -vv .\n```\n\n## Feedback\n\n**Please provide feedback!** We want to make this project as useful as possible.\nPlease [submit an issue](https://github.com/TypistTech/trellis-cloudflare-origin-ca/issues/new) and point out what you do and don't like, or fork the project and [send pull requests](https://github.com/TypistTech/trellis-cloudflare-origin-ca/pulls/).\n**No issue is too small.**\n\n## Security Vulnerabilities\n\nIf you discover a security vulnerability within this project, please email us at [trellis-cloudflare-origin-ca@typist.tech](mailto:trellis-cloudflare-origin-ca@typist.tech).\nAll security vulnerabilities will be promptly addressed.\n\n## Credits\n\n[Trellis Cloudflare Origin CA](https://github.com/TypistTech/trellis-cloudflare-origin-ca) is a [Typist Tech](https://typist.tech) project and maintained by [Tang Rufus](https://twitter.com/TangRufus), freelance developer for [hire](https://www.typist.tech/contact/).\n\nSpecial thanks to [the Roots team](https://roots.io/about/) whose [Trellis](https://github.com/roots/trellis) make this project possible.\n\nFull list of contributors can be found [here](https://github.com/TypistTech/trellis-cloudflare-origin-ca/graphs/contributors).\n\n## License\n\n[Trellis Cloudflare Origin CA](https://github.com/TypistTech/trellis-cloudflare-origin-ca) is released under the [MIT License](https://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftypisttech%2Ftrellis-cloudflare-origin-ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftypisttech%2Ftrellis-cloudflare-origin-ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftypisttech%2Ftrellis-cloudflare-origin-ca/lists"}