Overview

This document explains the Cloudflare API authentication methods used in the Comserv2 application and how to resolve common authentication issues.

Issue

The Cloudflare API integration may fail with one of the following errors:

• IP Restriction Error: "Cannot use the access token from location: [IP address]" (Error code: 9109)
• Authentication Error: "Authentication error" (Error code: 10000)
• Unknown API Key Error: "Unknown X-Auth-Key or X-Auth-Email" (Error code: 9103)

These errors occur when:

• The API token has IP address restrictions that prevent it from being used from the server
• The API token doesn't have the necessary permissions to access the requested resources
• The API key is invalid or has expired

Solution

The Comserv2 application has been updated to handle these authentication issues in the following ways:

1. Enhanced Error Handling: Improved error messages for authentication failures with specific guidance based on the error type
2. Fallback Mechanism: When API authentication fails, the system will use cached or mock DNS records to ensure the application continues to function
3. Hardcoded Zone IDs: For known domains, the system uses hardcoded zone IDs to reduce dependency on API authentication

Fallback Mechanism

When Cloudflare API authentication fails, the system will:

1. First try to use cached DNS records if available
2. If no cached records are available, use mock DNS records with realistic values
3. Log the authentication failure for troubleshooting

This ensures that the application continues to function even when the Cloudflare API is unavailable or authentication fails.

Creating a New API Token

To create a new Cloudflare API token without IP restrictions:

1. Log in to your Cloudflare account at https://dash.cloudflare.com/
2. Click on your profile icon in the top right corner and select "My Profile"
3. In the left sidebar, click on "API Tokens"
4. Click the "Create Token" button
5. Select the "Edit zone DNS" template or create a custom token with the following permissions:
   • Zone > DNS > Edit
   • Zone > Zone > Read
6. Under "Zone Resources", select the specific zones (domains) you want to manage
7. Leave the "Client IP Address Filtering" section blank to allow access from any IP address
8. Click "Continue to summary" and then "Create Token"
9. Copy the generated token and update the cloudflare_config.json file

Troubleshooting

Testing API Authentication

You can test the Cloudflare API authentication using the provided test scripts:

# Test API token authentication
perl /home/shanta/PycharmProjects/comserv2/Comserv/script/test_cloudflare_token.pl

# Test domain-specific operations
perl /home/shanta/PycharmProjects/comserv2/Comserv/script/test_cloudflare_domain.pl
        

Common Issues and Solutions

IP Restriction Error (Code: 9109)

The API token has IP address restrictions that prevent it from being used from the server.

Solution: Create a new API token without IP restrictions or add the server's IP address to the allowed list.

Authentication Error (Code: 10000)

The API token is invalid, has expired, or doesn't have the necessary permissions.

Solution: Create a new API token with the correct permissions.

Unknown API Key Error (Code: 9103)

The API key is invalid or not recognized by Cloudflare.

Solution: Use an API token instead of an API key, as API keys are being deprecated by Cloudflare.