search

tiredofit / docker-traefik-cloudflare-companion

Automatically Create CNAME records for containers served by Traefik
MIT License
404 stars 65 forks source link

Constant Authentication Errors #73

Open mariaWitch opened 2 years ago

mariaWitch commented 2 years ago

Summary

When I add a new domain to a container through traefik, cloudflare-companion errors out repeatedly with authentication failures to cloudflare. I'm not sure if something has changed with Cloudflare's API, but both of my other services which rely on the same API keys/tokens do not have the same issue as this does.

Steps to reproduce

(Input your api keys and tokens, and then attempt to start the container with a host set to a subset of the domain.)

What is the expected correct behavior?

It should not error and should create the subdomain automatically.

Relevant logs and/or screenshots

cloudflare-companion    | 2022-08-14.15:59:38 [STARTING] ** [traefik-cloudflare-companion] [19] Starting Traefik Cloudflare Companion
cloudflare-companion    | Traceback (most recent call last):
cloudflare-companion    |   File "/usr/sbin/cloudflare-companion", line 466, in <module>
cloudflare-companion    |     sync_mappings(get_initial_mappings(traefik_included_hosts, traefik_excluded_hosts), doms)
cloudflare-companion    |   File "/usr/sbin/cloudflare-companion", line 354, in sync_mappings
cloudflare-companion    |     if point_domain(k, domain_infos):
cloudflare-companion    |   File "/usr/sbin/cloudflare-companion", line 168, in point_domain
cloudflare-companion    |     records = cf.zones.dns_records.get(domain_info['zone_id'], params={u'name': name})
cloudflare-companion    |   File "/usr/lib/python3.10/site-packages/CloudFlare/cloudflare.py", line 695, in get
cloudflare-companion    |     return self._base.call_with_auth('GET', self._parts,
cloudflare-companion    |   File "/usr/lib/python3.10/site-packages/CloudFlare/cloudflare.py", line 139, in call_with_auth
cloudflare-companion    |     return self._call(method, headers, parts,
cloudflare-companion    |   File "/usr/lib/python3.10/site-packages/CloudFlare/cloudflare.py", line 525, in _call
cloudflare-companion    |     raise CloudFlareAPIError(code, message)
cloudflare-companion    | CloudFlare.exceptions.CloudFlareAPIError: Authentication error

Environment

docker-compose.yml ``` version: "3.7" networks: internal: driver: bridge services: driver: bridge keycloakDB: driver: bridge volumes: traefik-logs: services: cloudflare-ddns: image: timothyjmiller/cloudflare-ddns:latest container_name: cloudflare-ddns security_opt: - no-new-privileges:true network_mode: "host" environment: - PUID=1000 - PGID=1000 volumes: - ./CloudflareDDNS/config.json:/config.json:ro restart: unless-stopped cloudflare-companion: image: tiredofit/traefik-cloudflare-companion:latest container_name: cloudflare-companion volumes: - /var/run/docker.sock:/var/run/docker.sock:ro environment: - TRAEFIK_VERSION=2 - CF_EMAIL= - CF_TOKEN= - TARGET_DOMAIN=ddns.domain.tld - DOMAIN1=domain.tld - DOMAIN1_PROXIED=true - DOMAIN1_ZONE_ID= #- DOCKER_HOST=tcp://198.51.100.32:2376 #- DOCKER_CERT_PATH=/docker-certs #- DOCKER_TLS_VERIFY=1 networks: - internal - services restart: unless-stopped KCPostgres: image: bitnami/postgresql:14 container_name: keycloakDB restart: unless-stopped networks: - keycloakDB volumes: - ./postgres/data/postgres_data:/bitnami/postgresql/ ports: - 5432:5432 env_file: - ./postgres/KCpostgres.env healthcheck: test: ["CMD-SHELL", "pg_isready -U "] interval: 10s timeout: 5s retries: 5 KCPBackup: image: bitnami/postgresql:14 container_name: KCDBBackup networks: - keycloakDB volumes: - ./postgres/data/backup/:/dump/ restart: unless-stopped environment: - PGHOST=KCPostgres - PGUSER= - PGPASSWORD= - BACKUP_NUM_KEEP=7 - BACKUP_FREQUENCY=1d entrypoint: | bash -c 'bash -s < /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.psql (ls -t /dump/dump*.psql|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.psql)|sort|uniq -u|xargs rm -- {} sleep $$BACKUP_FREQUENCY done EOF' depends_on: KCPostgres: condition: service_healthy traefik: image: traefik:vacherin container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true networks: - services ports: - 80:80 - 443:443 - 8080:8080 environment: - CF_API_EMAIL= #- CF_API_KEY= - CF_DNS_API_TOKEN= volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - ./Traefik/data/traefik.yml:/traefik.yml:ro - ./Traefik/data/acme.json:/acme.json - ./Traefik/data/config.yml:/config.yml:ro - ./Traefik/data/log:/var/log/traefik labels: - traefik.enable=true - traefik.http.routers.traefik.entrypoints=http - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https - traefik.http.middlewares.redirect-to-https.redirectscheme.port=443 - traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`) - traefik.http.routers.redirs.entrypoints=http - traefik.http.routers.redirs.middlewares=redirect-to-https - traefik.http.routers.dashboard.rule=Host(`traefik.domain.tld`) - traefik.http.services.dashboard.loadbalancer.server.port=8080 ```

Possible fixes

mariaWitch commented 2 years ago

I figured out the issue, you apparently need to point CF_TOKEN to your global API key not your API_Token for the specific zone and Domain. Perhaps clarifiying this on the instructions would prevent people from encountering this issue.

tigerkzr commented 2 years ago

I figured out the issue, you apparently need to point CF_TOKEN to your global API key not your API_Token for the specific zone and Domain. Perhaps clarifiying this on the instructions would prevent people from encountering this issue.

just want to note that you have to put the global API key in a file call "cf_token". Like an idiot, I kept trying to point my cf_api_key file at the CF_TOKEN env var...

Vinylwalk3r commented 1 year ago

I also want to comment that I had this exact issue. I found that creating a API token with the settings found below fixed it or me and it now works. Strange that the Global API token didnt work, but this does. Zone - DNS - Edit Zone - Zone Settings - Edit Zone - Zone - Edit