Cloudflare and ACME GUI

Hi,

Feel I need some noob help in getting a LetsEncrypt cert issued via CloudFlare to use as my OpenWRT web Certificate.

I've done this a few times with other systems so thought this would be easy, just seem stuck with the ACME GUI in OpenWRT.

What do I put where really??

I've tried what I thought was every possible combination but am not seeing anything in Status>System log
So this might be an issue?

I've followed the wiki but am having trouble translating the CloudFlare DNS config into what the GUI needs.

DNS API = ?? I've Tried dns_cf and CloudFlare and cf
DNS API Credentials = Tried just my API Key and cf_token="my API Key"

Any help would be appreciated, I'm obviously doing something stupid here?

Hi NotABot,

I hope you are doing well, and the information is still actual for you.

But first of all thank you for your post. It has inspired me to get certificates working tonight. And I have done it finally.

Here is my system information:

OpenWrt 19.07.8 r11364-ef56c85848 / LuCI openwrt-19.07 branch git-22.115.68448-712bc8e
Linux M26HOME 4.14.241 #0 SMP Thu Jul 29 19:50:28 2021 mips GNU/Linux

Despite LuCi is considered to be an easy way to configure, it has some items that are not obvious. So I did a bit of reverse engineering by googling CF specific options and manually editing /etc/config/acme configuration file. After all edits have been done, I have refreshed LuCi and bingo! Finally it is clear what to enter, where and how. Please kindly find my screenshot below.

Of course, do not forget to check the system time on your OpenWrt prior to issuing certificates.

After some googling and RTFM, I admit that the DNS field could be.. just dns_cf, and it worked for me.

You can find your Zone ID and Account ID in the Overview menu item on the left side of your CF site dashboard.

Do not forget to press "+" on the right side when you add a domain name, DNS API credentials, etc.

Finally you can press Apply and Save and make some coffee as it may take some time.

Please revert with the results, and I hope you will also be able to get this stuff working. Wish you luck!

1 Like

Perhaps start with upgrading to a supported version (23.05.3) first.

Thanks @Alekss

I did eventually get this working and what I had done was very close to what you have shown.
Got my info from here
dnsapi · acmesh-official/acme.sh Wiki · GitHub

Unfortunately, my certificate did not renew automatically.
It 'skipped' renewal with the following output on the cli.

Skip, Next renewal time is: 2024-07-04T00:17:52Z

Although that was a date in the past?
My system time is correct using NTP in LuCI

So I had to 'force' renew via the command line.
/usr/lib/acme/client/acme.sh --force --renew --home /etc/acme -d my.domain.com

Then restart the uhttpd service from >System>Startup

It's possible I had changed to many things trying to get it working last time, maybe it will renew properly this time automatically...

Thanks again

Thanks @NotABot for your feedback, and glad to hear all is well with your setup.

Well, I have figured out that the issuance takes place when you either press Save&Apply in LuCI or issue /etc/init.d/acme restart command. I did that and got the same result as you: skip, next renewal on... I can assume that could be because of the renewal date has not yet come. I believe somebody who is familiar with this can shed more than me.

I have also figured out from the /usr/lib/acme/run-acme wrapper script that it should make all the necessary settings on its own. It reloads uhttpd as well.

Anyway, I can see that acme script is scheduled to run every midnight, please see below. I hope it will issue a new certificate when the expiration date comes.
#crontab -l
0 0 * * * /etc/init.d/acme start

Kind regards