os-ddclient Cloudflare API Key

[sachinwadhwa]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [x] The title contains the plugin to which this issue belongs

Describe the bug With latest update 22.1.1_1, Cloudflare DNS update only works with Global API key but it fails to work with an API token with DNS edit for the zone. Older plugin (DynDNS) I can create API token with specific DNS zone edit access and it used to works fine. Current method of using Global API key is very unsafe and might lead to security issues as Global API key have full admin access to your Cloudflare account.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior: As specified above

Expected behavior DNS update should work with specific API token/key and not with Global API key

Screenshots None

Relevant log files None

Additional context None

Environment 22.1.1_1

[thafer30]

Commenting to show interest. I also am still using the legacy os-dyndns plugin since I cannot use Cloudflare api tokens with this new plugin.

[chiwou]

here is the part necessary for this change from the Cloudflare API documentation

API Key | X-Auth-Key | API key generated on the "My Account" page
Email | X-Auth-Email | Email address associated with your account
User Service Key | X-Auth-User-Service-Key | A special Cloudflare API key good for a restricted set of endpoints. Always begins with "v1.0-", may vary in length.

[Tetricz]

This appears to be an issue regarding ddclient more than OPNSense. It seems like we don't know when the next release will be coming (https://github.com/ddclient/ddclient/issues/272)

Version bump request on ddclient (https://github.com/ddclient/ddclient/issues/361)

It is marked as fixed in the next release, so maybe we can get a new ddclient built from the current src?

[jrm523]

Just chiming in that I am experiencing the same issue. I will transition back to the legacy client for now.

[asche77]

bumping and subscribing. Though it really is a matter for ddclient to release its next release.

[JHarding86]

Seem to be running into this issue as well.

[bskinner]

Same issue here. I just uninstalled the os-ddclient plugin as, unfortunately, it's useless to me without this feature.

[CodeAndWeb]

I also need a solution for this....

[JHarding86]

This is a shame. I decided to make the leap from pfsense and was stopped dead in my tracks due to this. I had to revert. I love the interface of opnsense, but it's nothing if it doesn't work with the packages that I need. 🙃

[chiwou]

you can still use the old plugin, even both at the same time, just wait until the new plugin has all the features of the old one

[Nolij]

This is very necessary for me, as I'm pretty sure even if I wanted to use username/password 2FA would get in the way of that.

[rupertbenbrook]

Looking at the code of ddclient, it seems like if you use token as the username and your Cloudflare API token as the password, it uses the Authentication: Bearer header as opposed to the X-Auth- headers to talk to the Cloudflare API. I've not tried it yet, but plan to.

https://github.com/ddclient/ddclient/blob/11a583b003920f8e15591813598b70061d1a4654/ddclient.in#L4764-L4766

[Nolij]

Looking at the code of ddclient, it seems like if you use token as the username and your Cloudflare API token as the password, it uses the Authentication: Bearer header as opposed to the X-Auth- headers to talk to the Cloudflare API. I've not tried it yet, but plan to.

https://github.com/ddclient/ddclient/blob/11a583b003920f8e15591813598b70061d1a4654/ddclient.in#L4764-L4766

It should, its been in the code for 2+ years. Perhaps a checkbox which makes this more user friendly can still be implemented? This is a "solution" but 10 of the 11 participants of this issue didn't find it until you posted that, and if this issue is closed it will likely be harder to find this issue as a method of finding that.

[AdSchellevis]

https://github.com/ddclient/ddclient/issues/361

[rupertbenbrook]

Ah, I see. ddclient hasn't had a release since 3.9.1 and the Cloudflare API token support was added just after that release. So, that begs the question why opnsense are switching to ddclient as it's not been released for over 2 years, and regresses the existing functionality? How are other projects doing this? Are they pulling direct from the ddclient repo and not relying on releases?

[Nolij]

Ah, I see. ddclient hasn't had a release since 3.9.1 and the Cloudflare API token support was added just after that release. So, that begs the question why opnsense are switching to ddclient as it's not been released for over 2 years, and regresses the existing functionality? How are other projects doing this? Are they pulling direct from the ddclient repo and not relying on releases?

Come again? Please tell me dyndns is even more out of date...

[rupertbenbrook]

Yep, dyndns is much, MUCH more out of date! 2014 I think it the last code change.

https://git.savannah.nongnu.org/cgit/perl-dyndns.git

[Nolij]

Yep, dyndns is much, MUCH more out of date! 2014 I think it the last code change.

https://git.savannah.nongnu.org/cgit/perl-dyndns.git

Alright that's much better. Still though should probably be swapping to something that's still receiving updates instead of replacing a horse and buggy with a crank-start car

[AdSchellevis]

likely caused by people only complaining and not a lot of people working on these topics, in which case the lack of commercial interest doesn't help either.

[Nolij]

likely caused by people only complaining and not a lot of people working on these topics, in which case the lack of commercial interest doesn't help either.

Fair enough.

[rupertbenbrook]

I think ddclient is still getting updates and is being maintained, just no-one seems to be releasing the updates in versioned releases, so this isn't being picked up downstream by FreeBSD and OPNsense.

[Nolij]

Well my previous point still remains: a change to the UI to add a checkbox which just puts username as token (and hides it), and labels the password box API Token shouldn't be difficult to implement and would avoid much confusion and future complaining.

[AdSchellevis]

I think ddclient is still getting updates and is being maintained, just no-one seems to be releasing the updates in versioned releases, so this isn't being picked up downstream by FreeBSD and OPNsense.

Developed, not being released https://github.com/ddclient/ddclient/tags hence the tickets asking for a release. 3.9.1 is the version most distro's ship

[GitPullNow]

This is the only situation where I need to use my global API key and also would like to see this fixed. Looking at the project of ddclient there is already an issue and fix but still open and not in a release yet. Does have label fixed in next release. Hope this gets released some time soon so opnsense can implement this.

https://github.com/ddclient/ddclient/issues/361

[agreenbhm]

This obviously isn't a long-term fix, but i modified my local ddclient script to work with the changes until the official version is updated. Starting at line 4566, my file now looks like this.

                my $headers = "X-Auth-Email: $config{$key}{'login'}\n";
                if ($config{$key}{'login'} eq 'token') {
                        $headers .= "Authorization: Bearer $config{$key}{'password'}\n";
                } else {
                        $headers .= "X-Auth-Key: $config{$key}{'password'}\n";
                }
                        $headers .= "Content-Type: application/json";

[janssenjones]

This obviously isn't a long-term fix, but i modified my local ddclient script to work with the changes until the official version is updated. Starting at line 4566, my file now looks like this.

                my $headers = "X-Auth-Email: $config{$key}{'login'}\n";
                if ($config{$key}{'login'} eq 'token') {
                        $headers .= "Authorization: Bearer $config{$key}{'password'}\n";
                } else {
                        $headers .= "X-Auth-Key: $config{$key}{'password'}\n";
                }
                        $headers .= "Content-Type: application/json";

Thanks for this info! I just tried setting this up today for the first time, and was banging my head trying to switch from global API key, and this worked perfectly. I know it's a temporary fix, but still glad to have it!

[ilium007]

Modifying /usr/local/sbin/ddclient as above worked for me on OPNsense 22.1.10-amd64

[viliusz]

@ilium007 I assume you have made changes in /usr/local/sbin/ddclient (and not in /usr/local/opnsense/version/ddclient), right?

[viliusz]

had to slightly modify the script (based on above suggestions) to make it work with API Token in opnsense

file: /usr/local/sbin/ddclient lines: 4566-4573

                my $headers = "";
                if ($config{$key}{'login'} eq 'token') {
                        $headers .= "Authorization: Bearer $config{$key}{'password'}\n";
                } else {
                        $headers .= "X-Auth-Email: $config{$key}{'login'}\n";
                        $headers .= "X-Auth-Key: $config{$key}{'password'}\n";
                }
                $headers .= "Content-Type: application/json";

ps. make sure DNS record is set before using ddclient, otherwise you'd get an error

FAILED: updating ip: No DNS record ID found.

[ilium007]

@ilium007 I assume you have made changes in /usr/local/sbin/ddclient (and not in /usr/local/opnsense/version/ddclient), right?

Yes, copy and paste error. I’ll edit above to avoid any confusion.