Cloudflare Developers•2w ago

Create Origin Cert via API -- do I need a CSR? Seems like I shouldn't.

I've tried both using an API key and with an Origin CA service key... But in both instances, it is coming back saying CSR parsed as empty, despite it being an optional field? Is there not a way to do this without generating a CSR manually in my script? https://developers.cloudflare.com/api/resources/origin_ca_certificates/ Here's one using Origin CA key

CF_API_BASE = "https://api.cloudflare.com/client/v4"

load_dotenv()
ORIGIN_CA_KEY = os.getenv("ORIGIN_CA_KEY")

def get_headers(origin_ca_key):
    return {
        "X-Auth-User-Service-Key": origin_ca_key,
        "Content-Type": "application/json",
    }

def issue_origin_ca_cert(origin_ca_key, domains):
    url = f"{CF_API_BASE}/certificates"
    payload = {
        "hostnames": domains,
        "requested_validity": 5475,
        "request_type": "origin-rsa"
    }
    resp = requests.post(url, json=payload, headers=get_headers(origin_ca_key))
    if resp.status_code != 200:
        print(f"[ERROR] Cloudflare API error (issue origin ca cert): {resp.text}")
        return None, None, None
    result = resp.json()["result"]
    return result["certificate"], result["private_key"], result.get("id", "new")

CF_API_BASE = "https://api.cloudflare.com/client/v4"

load_dotenv()
ORIGIN_CA_KEY = os.getenv("ORIGIN_CA_KEY")

def get_headers(origin_ca_key):
    return {
        "X-Auth-User-Service-Key": origin_ca_key,
        "Content-Type": "application/json",
    }

def issue_origin_ca_cert(origin_ca_key, domains):
    url = f"{CF_API_BASE}/certificates"
    payload = {
        "hostnames": domains,
        "requested_validity": 5475,
        "request_type": "origin-rsa"
    }
    resp = requests.post(url, json=payload, headers=get_headers(origin_ca_key))
    if resp.status_code != 200:
        print(f"[ERROR] Cloudflare API error (issue origin ca cert): {resp.text}")
        return None, None, None
    result = resp.json()["result"]
    return result["certificate"], result["private_key"], result.get("id", "new")

[INFO] Starting process for 1 domain(s).
[ACTION] Issuing new origin ca cert for redacated.com and *.redacated.com...
[ERROR] Cloudflare API error (issue origin ca cert): {"success":false,"messages":[],"errors":[{"code":1007,"message":"CSR parsed as empty"}],"result":{},"result_info":{"count":0,"total_count":0}}
[ERROR] Could not create or save new origin ca cert for redacated.com.
[INFO] Done.

[INFO] Starting process for 1 domain(s).
[ACTION] Issuing new origin ca cert for redacated.com and *.redacated.com...
[ERROR] Cloudflare API error (issue origin ca cert): {"success":false,"messages":[],"errors":[{"code":1007,"message":"CSR parsed as empty"}],"result":{},"result_info":{"count":0,"total_count":0}}
[ERROR] Could not create or save new origin ca cert for redacated.com.
[INFO] Done.

1 Reply

RubenatorOP•2w ago

I get the same error in response to this variation:

ORIGIN_CA_KEY = os.getenv("ORIGIN_CA_KEY")
CLOUDFLARE_TOKEN = os.getenv("CLOUDFLARE_TOKEN")

def get_headers(origin_ca_key=None, api_token=None):
    headers = {"Content-Type": "application/json"}
    if origin_ca_key:
        headers["X-Auth-User-Service-Key"] = origin_ca_key
    elif api_token:
        headers["Authorization"] = f"Bearer {api_token}"
    return headers

ORIGIN_CA_KEY = os.getenv("ORIGIN_CA_KEY")
CLOUDFLARE_TOKEN = os.getenv("CLOUDFLARE_TOKEN")

def get_headers(origin_ca_key=None, api_token=None):
    headers = {"Content-Type": "application/json"}
    if origin_ca_key:
        headers["X-Auth-User-Service-Key"] = origin_ca_key
    elif api_token:
        headers["Authorization"] = f"Bearer {api_token}"
    return headers

Or both! for fun!

def get_headers(origin_ca_key=None, api_token=None):
    headers = {
        "Content-Type": "application/json",
        "X-Auth-User-Service-Key": ORIGIN_CA_KEY,
        "Authorization": f"Bearer {CLOUDFLARE_TOKEN}"
    }
    return headers

def get_headers(origin_ca_key=None, api_token=None):
    headers = {
        "Content-Type": "application/json",
        "X-Auth-User-Service-Key": ORIGIN_CA_KEY,
        "Authorization": f"Bearer {CLOUDFLARE_TOKEN}"
    }
    return headers

Just installed the cloudflare python library... same result:

def issue_origin_cert(client, domains):
    try:
        cert = client.origin_ca_certificates.create(
            hostnames=domains,
            requested_validity=5475,
            request_type='origin-rsa'
        )
        return cert.certificate, cert.private_key, cert.id
    except Exception as e:
        print(f"[ERROR] Could not issue new origin CA cert: {e}")
        return None, None, None

def issue_origin_cert(client, domains):
    try:
        cert = client.origin_ca_certificates.create(
            hostnames=domains,
            requested_validity=5475,
            request_type='origin-rsa'
        )
        return cert.certificate, cert.private_key, cert.id
    except Exception as e:
        print(f"[ERROR] Could not issue new origin CA cert: {e}")
        return None, None, None

[ERROR] Could not issue new origin CA cert: Error code: 400 - {'success': False, 'messages': [], 'errors': [{'code': 1007, 'message': 'CSR parsed as empty'}], 'result': {}, 'result_info': {'count': 0, 'total_count': 0}}

[ERROR] Could not issue new origin CA cert: Error code: 400 - {'success': False, 'messages': [], 'errors': [{'code': 1007, 'message': 'CSR parsed as empty'}], 'result': {}, 'result_info': {'count': 0, 'total_count': 0}}

fwiw, manually generating the CSR and sticking it in worked but, can someone explain why it's required for Origin CA's where there should be sufficient options/defaults for it to auto-generate one? 🤔 Or am I "trippin"™?

Gaming

Programming

Create Origin Cert via API -- do I need a CSR? Seems like I shouldn't.

Did you find this page helpful?