[X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
[X] I have searched the issue tracker and my issue isn't already found.
[X] I have replicated my issue using the latest version of the provider and it is still present.
Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)
Modify the resource to define which ssl ciphers you want to allow:
resource "cloudflare_custom_hostname" "domain_example_com" { hostname = "domain_example_com" zone_id = "MY_ZONE_ID" ssl { bundle_method = "ubiquitous" method = "txt" settings { min_tls_version = "1.2" ciphers = ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"] } type = "dv" wildcard = false } }
Apply changes and then you get this error:
Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)
Additional factoids
In the official documentation from Cloudflare (link) explicity says that:
Once the curl is finished, if I perform a terraform plan I can see the changes done on the cloudflare api side.
I think the problem is originated because the provider always sends the certificate_authority property, that is only allowed to be modified in the Enterprise Plan.
Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Confirmation
Terraform and Cloudflare provider version
Affected resource(s)
cloudflare_custom_hostname
Terraform configuration files
Link to debug output
https://gist.github.com/mikim83/d818322cb4f379166187ebd8e5666c01
Panic output
No response
Expected output
Success
Actual output
Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)
Steps to reproduce
Have a business plan on cloudflare
Have the Advanced Certificate Manager addon
Create and validate custom_hostname like this:
resource "cloudflare_custom_hostname" "domain_example_com" { hostname = "domain_example_com" zone_id = "MY_ZONE_ID" ssl { bundle_method = "ubiquitous" method = "txt" settings { min_tls_version = "1.2" } type = "dv" wildcard = false } }
Modify the resource to define which ssl ciphers you want to allow:
resource "cloudflare_custom_hostname" "domain_example_com" { hostname = "domain_example_com" zone_id = "MY_ZONE_ID" ssl { bundle_method = "ubiquitous" method = "txt" settings { min_tls_version = "1.2" ciphers = ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"] } type = "dv" wildcard = false } }
Apply changes and then you get this error:
Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)
Additional factoids
In the official documentation from Cloudflare (link) explicity says that:
So, modifing the ciphers settings on
cloudflare_custom_hostname
resource, with ACM addon, it should be allowed.In fact, if I perform a
curl
directly to the Cloudflare API using the same API_TOKEN on terraform I can change the settings:curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/HOSTNAME_ID" \ --header "Authorization: Bearer API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "ssl": { "type": "dv", "method": "http", "hosts": [ "example.domain.com" ], "settings": { "min_tls_version": "1.2", "ciphers": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"] }, "bundle_method": "ubiquitous", "wildcard": false } }'
Once the
curl
is finished, if I perform aterraform plan
I can see the changes done on the cloudflare api side.I think the problem is originated because the provider always sends the
certificate_authority
property, that is only allowed to be modified in the Enterprise Plan.References
No response