Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

How to use two different cloudflare accounts #315

Open
ludekvodicka opened this issue Mar 25, 2025 · 3 comments
Open

How to use two different cloudflare accounts #315

ludekvodicka opened this issue Mar 25, 2025 · 3 comments

Comments

@ludekvodicka
Copy link

Hello,

First of all, thanks for the great tool. I'm trying to use it for our company servers, but I’ve run into one issue.

Historically, we have two different Cloudflare accounts for domains that are managed on the same server and through a single Nginx instance (domains are internal so other verification method can't be used).

Is there a way to configure docker-nginx-certbot to handle this setup using the DNS-01 challenge?

I tried creating two files: /etc/letsencrypt/cloudflare.ini and /etc/letsencrypt/cloudflare2.ini, and then referring to cloudflare2 via the path in ssl_certificate_key (ssl_certificate_key /etc/letsencrypt/live/test.dns-cloudflare2/privkey.pem;). Unfortunately, this approach doesn't seem to work.

Is there a way to solve this?

Thank you.
@JonasAlfredsson
Copy link
Owner

Oooh, this is a new usecase that is not taken into account.
Not entirely sure how this is best handled, but you would expect that the cert name to steer which cert file to use?

@ludekvodicka
Copy link
Author

I believe this could be made slightly easier.

Currently, it's possible to select the DNS authenticator based on the directory name, as described here:

https://github.com/JonasAlfredsson/docker-nginx-certbot/blob/master/docs/certbot_authenticators.md#using-a-dns-01-authenticator-for-specific-certificates-only

However, the directory name must match one of the known DNS authenticators (e.g., /etc/letsencrypt/cloudflare, /etc/letsencrypt/digitalocean, etc.).

A useful improvement would be to extend this logic so that the authenticator is selected not just by the driver name (directory), but also by the filename of the credentials file.

For example, if someone creates:

/etc/letsencrypt/cloudflare.ini
/etc/letsencrypt/cloudflare-second.ini
/etc/letsencrypt/cloudflare-third.ini

Then there could be a way to determine which authenticator to use based on the cert path, such as:

/etc/letsencrypt/live/test-name.dns-cloudflare-second/fullchain.pem;
/etc/letsencrypt/live/test-name.dns-cloudflare-third/fullchain.pem;

While still falling back to the default cloudflare.ini file when using the environment variable:
ENV CERTBOT_AUTHENTICATOR=dns-cloudflare

This approach would allow users to rely on the default authenticator for most cases, but use different Cloudflare accounts when needed — ideal for more complex setups involving multiple domains managed under separate Cloudflare accounts.

I hope this makes things a bit clearer. I'm happy to provide more details if needed.

Thanks

@JonasAlfredsson
Copy link
Owner

I think I understand what you are after. A suggestion here is to implement something like this:

server_name="name.of.rsa.dns-name-and-such.cert"
if [[ "${server_name}" =~ (^|[-.])dns-([^\.]+)([-.]|$) ]]; then
    echo "${BASH_REMATCH[2]##*-}"
fi

which outputs "such". Which means that we would allow an unique identifier for the DNS authenticator which comes after the final "-".

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ludekvodicka @JonasAlfredsson