Automate DNS-01 with Cloudflare

Connecting Cloudflare lets aethercert create and remove the DNS TXT records ACME uses for DNS-01 validation automatically - required for wildcard certificates, and useful for any hostname that isn't (yet) reachable over HTTP.

1. Create a scoped API token in Cloudflare

  1. Sign in to the Cloudflare dashboard and open My Profile > API Tokens.
  2. Click Create Token, then Create Custom Token.
  3. Add two permissions: Zone / DNS / Edit and Zone / Zone / Read. Both are required - Zone:Read is needed to look up the zone ID before DNS:Edit can create the TXT record.
  4. Under Zone Resources, scope the token to the specific zone (domain) you'll use with aethercert - avoid an account-wide token if you only need one domain.
  5. Click Continue to summary, then Create Token, and copy it - Cloudflare only shows it once.

2. Connect it in aethercert

  1. Make sure the domain is already added and verified under Build > Domains (or Manage > Domains if it's an existing one).
  2. On that domain's setup step 2 ("DNS provider"), choose Cloudflare from the provider dropdown.
  3. Paste the token into API token.
  4. Click Test & save - aethercert verifies the token actually has access to the zone before saving it. If verification fails, double check both permissions and the zone scope from step 1.

3. Use it

Any certificate you create for this domain (or its subdomains) can now use DNS-01, including wildcards. The token is stored write-only - it's never displayed back in the dashboard once saved, only used server-side to solve challenges.