User Tools

Site Tools


Action disabled: revisions
howtos:enable_or_disable_certificate_transparency_monitoring_via_api

Certificate Transparency Monitoring

Cloudflare offers CT monitoring of certificates issued to a zone which is hosted there. This is quite nifty as you can monitor whenever a new certificate is issued and verify if it is in a valid context.

Now that it has become so ubiquitous to get free certificates it has also become easier for someone to abuse it. There are many articles surrounding this topic, so I will not get more into it here.

Webui

You can find the setting in Cloudflare's webui under each zone (domain) here:

and on the right you find the on/off toggle:

The Problem

This is nice to have a fine webui where you can perform “click-ops” but it becomes very tedious when you have more than a couple of domains, and even impossible to handle when we talk hundreds.

Also, when you get new domains imported you have to remember to switch it on. With the menu option buried so deep under not so intuitive naming, you easily forget it when things go fast.

The Solution

The solution is of course the API :-)

It is not very well documented on Cloudflare in the API documentation (like in not at all), so I had to use a lot of time just finding the damn endpoint. Through the help of the community I was pointed in the right direction and found it:

/client/v4/zones/"zoneid"/ct/alerting

The endpoint take a PATCH verb with a simple JSON in the body:

-H "Content-Type: application/json" --data '{"enabled":true}'

It was then trivial to make a script to go through all the zones and set the flag.

As Cloudflare paginates the output from the zone query I've accounted for the output to span multiple pages. The max amount of zones you can get per page is only 50, so if you have more than that you will not get all the zones in one call. The script takes the default per_page value (20) and then makes the required calls to get all pages. You can modify the calls to get more per page by adding “&per_page=xxx” like this:

/client/v4/zones?page=$page&per_page=xxx

The Script

The script takes three parameters:

  • “dns_auth_token” - This is the API token used for querying for zone ID's and names.
  • “ct_auth_token” - This is the API token with permissions to toggle the CT switch for the zone
  • “toggle” - Do you want to enable (true) or disable (false) CT Monitoring for the zone
#!/bin/bash
dns_auth_token="zzz"
ct_auth_token="xxx"
toggle="true"
page=0
output_count=1

while [ $output_count -gt 0 ]
do
        ((page=page+1))
        x=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?page=$page" -H "Authorization: Bearer $dns_auth_token" |jq -r '.result[] | "\(.id)"')
        output_count=$(echo $x|wc -w)
        zone_list="$zone_list $x"
done


echo $zone_list|wc -w
for i in $zone_list
do
        echo $i
        name=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$i" -H "Authorization: Bearer $ct_auth_token" |jq -r '.result.name')
        curl -s -X PATCH https://api.cloudflare.com/client/v4/zones/$i/ct/alerting -H "Authorization: Bearer $ct_auth_token" -H "Content-Type: application/json" --data '{"enabled":'$toggle'}'
        echo " $name set to $toggle"
done
howtos/enable_or_disable_certificate_transparency_monitoring_via_api.txt · Last modified: 24/06/2022 14:59 by domingo