https://github.com/ftcunion/cloudflare-aop-scripts
Minimal bash scripts to work with custom certificates for Cloudflare's authenticated origin pulls feature
https://github.com/ftcunion/cloudflare-aop-scripts
authenticated-origin-pulls bash-script cloudflare cloudflare-api mutual-tls
Last synced: 2 months ago
JSON representation
Minimal bash scripts to work with custom certificates for Cloudflare's authenticated origin pulls feature
- Host: GitHub
- URL: https://github.com/ftcunion/cloudflare-aop-scripts
- Owner: ftcunion
- License: bsd-2-clause
- Created: 2025-07-17T13:25:05.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2025-07-18T10:46:27.000Z (3 months ago)
- Last Synced: 2025-07-18T14:38:18.573Z (3 months ago)
- Topics: authenticated-origin-pulls, bash-script, cloudflare, cloudflare-api, mutual-tls
- Language: Shell
- Homepage: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/
- Size: 6.84 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Cloudflare Authenticated Origin Pulls Bash Scripts
This repository contains several minimal bash scripts which help you follow the instructions provided by Cloudflare to set up authenticated origin pulls:
- [Zone level instructions](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/): scripts are in the `zone` directory.
- [Hostname level instructions](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/): scripts are in the `hostname` directory.
To generate the certificates, you can use the `generate_certs.sh` script in the root directory. This script follows the instructions in the "Before you begin" section of the Cloudflare documentation.
In each directory, there are scripts to:
- `upload_cert.sh`: Upload the generated certificate and private key to Cloudflare. It assumes the paths from the `generate_certs.sh` script.
- `enable_cert.sh`: Enable the uploaded certificate for authenticated origin pulls.
- `list_cert.sh`: List the certificates uploaded for the zone or hostname.
- `status_cert.sh`: Check the status of a certificate.
- `delete_cert.sh`: Delete a certificate.
Of these, only the first two are required to set up authenticated origin pulls. The others are for managing the certificates and debugging. Each script just calls curl with the appropriate parameters.
## Dependencies
Every script except for `generate_certs.sh` requires `curl` (which is not preinstalled on Debian/Ubuntu). The `generate_certs.sh` script requires `openssl`.
## Usage
To use the scripts, you need to create a `CONFIG` file in the root directory with your Cloudflare account details:
```bash
MYAUTHEMAIL="" # Email for Cloudflare account
MYAUTHKEY="" # Global API Key for Cloudflare account, https://dash.cloudflare.com/profile/api-tokens
ZONEID="" # Zone ID for domain, available in overview tab of Cloudflare dashboard
HOSTNAME="" # Hostname for hostname-level scripts
```
You can also start by copying the `CONFIG.template` file to `CONFIG` (i.e., `cp CONFIG.template CONFIG`) and filling in your details. You can then run the scripts from the root of this repository. For example, if you were following the instructions to set up a zone-level certificate, you would run:
```bash
./generate_certs.sh # Step 0
./zone/upload_cert.sh | jq # Step 1
./zone/enable_cert.sh | jq # Step 4
```
Piping to `jq` is optional. It just makes the json output look nice.
After running those three commands, you just have to switch on the SSL/TLS > Origin Server > Authenticated Origin Pulls option in the Cloudflare dashboard (step 3) and enforce the validation check on your origin server using the `rootca.crt` file generated by `generate_certs.sh` (steps 2 and 5).