Cloudflare API keys - Problems

[SdotVdot]

I’m using Caddy v2.11.2 with the dns.providers.cloudflare module. A new Cloudflare API token (user token, DNS edit + zone read) is verified as valid via /user/tokens/verify, but Caddy fails at startup with:

provision dns.providers.cloudflare: API token appears invalid

An older token (different format/length) works without issue. The failure happens before any API call (during provider provisioning), suggesting local validation may be rejecting newer token formats.

Is there any known incompatibility with newer Cloudflare API tokens?

EDIT: I see now that there are two pull requests addressing this issue.

[shellyeah]

Same issue here.
We're waiting for pull request #123 or #122 to be merged.
In the meantime I build caddy with the fixed version from #123 which works.
(Couldn't find a way for xcaddy to ignore the wrong module path in go.mod so I forked #123 too and built with my fork of the fork)
so just build --with github.com/shellyeah/cloudflare-dns-caddy-fix-temp instead of --with github.com/caddy-dns/cloudflare

(Will delete my fork once it's fixed here!)

Edit: Didn't see your edit.

[renegm]

Create a Dockerfile, same folder of compose.yaml with this content:
sudo nano Dockerfile

FROM caddy:builder AS builder
RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare \
    --replace github.com/caddy-dns/cloudflare=github.com/ogerman/cloudflare@1bc23c9
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

and
sudo docker compose up -d --build

[MurtadhaInit]

For those using the NixOS module, this is a quick work around until #123 or #122 is merged.

services.caddy = {
  enable = true;
  package =
    (pkgs.caddy.withPlugins {
      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.3" ];
      hash = "sha256-bL1cpMvDogD/pdVxGA8CAMEXazWpFDBiGBxG83SmXLA=";
    }).overrideAttrs
      (old: {
        # Patch token validation regex to accept cfut_/cfat_ tokens (>50 chars).
        # Upstream fix: github.com/caddy-dns/cloudflare/pull/123
        postPatch = (old.postPatch or "") + ''
          sed -i 's/{35,50}/{35,256}/' vendor/github.com/caddy-dns/cloudflare/cloudflare.go
        '';
      });
};

[TrueBankai416]

Same issue here. We're waiting for pull request #123 or #122 to be merged. In the meantime I build caddy with the fixed version from #123 which works. (Couldn't find a way for xcaddy to ignore the wrong module path in go.mod so I forked #123 too and built with my fork of the fork) so just build --with github.com/shellyeah/cloudflare-dns-caddy-fix-temp instead of --with github.com/caddy-dns/cloudflare

(Will delete my fork once it's fixed here!)

Edit: Didn't see your edit.

xcaddy build --with github.com/caddy-dns/cloudflare@master --with github.com/caddy-dns/cloudflare=github.com/ogerman/cloudflare@1bc23c9

[willificent]

Such a pain, this issue took down our entire internal hairpin because we had the dumb idea to roll the key. Ce la via. Very appreciative there's a fix on the way, and solutions in the meantime!!

[MurtadhaInit]

Such a pain, this issue took down our entire internal hairpin because we had the dumb idea to roll the key. Ce la via. Very appreciative there's a fix on the way, and solutions in the meantime!!

0.2.4 has been released and it should now address the issue (it did for me).

[HoekHA]

When using: caddy add-package github.com/caddy-dns/cloudflare

I still get version v0.2.3.

Any ideas as what I'm doing wrong here ?

[willificent]

Rebuilding Caddy from source and the latest master of resolves this issue immediately.

The problem was indeed a local validation check in the module that rejected tokens longer than 50 characters (new Cloudflare tokens are 54 characters). The fix has been merged into master but isn't in the latest tagged release yet.

For anyone stuck, this build command fixed it for us:

# Install xcaddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

# Build Caddy with the latest (patched) cloudflare module
xcaddy build --with github.com/caddy-dns/cloudflare@latest

After replacing the binary and restarting the service, the 54-char tokens work perfectly.

[HoekHA]

When using: caddy add-package github.com/caddy-dns/cloudflare

I still get version v0.2.3.

Any ideas as what I'm doing wrong here ?

Ok, I figured out I had to use caddy add-package github.com/caddy-dns/cloudflare@v0.2.4

@latest (or using no option) apparently still installs the v0.2.3 package