DNS, SSL & CDN Integrations
En bref
DNS, SSL & CDN Integrations automates Let's Encrypt certificate issuance and renewal, manages Cloudflare DNS zones and records, verifies custom domain ownership for federation/club sites with TXT or CNAME challenges, supports wildcard certificates, and deploys Cloudflare Workers for edge logic — so every CMS site can ship under its own domain with TLS in minutes.
Comment ça fonctionne
AcmeCertificate handles the ACME v2 protocol against Let's Encrypt: each certificate document captures the domains list, ACME account binding, current order state (pending → ready → valid → revoked), challenge type (HTTP-01 for single hostnames, DNS-01 for wildcards), private key reference in Key Vault, issued_at, and not_after; a renewal scheduler exercises the order 30 days before expiry, swaps the live cert atomically once the new one validates, and falls back to the previous cert if validation fails. CloudflareDnsZone wraps a Cloudflare zone — zone_id, name, status (pending, active, paused), nameservers, plan — with CRUD endpoints that proxy to the Cloudflare API and cache the resulting state. CloudflareDnsRecord enumerates A, AAAA, CNAME, MX, TXT, NS, and SRV records under each zone with content, ttl, proxied flag, priority (for MX/SRV), and an idempotent upsert that diff-applies records in batch.
DomainVerification drives custom-domain onboarding for federations and clubs that bring their own hostname: the operator picks TXT or CNAME, the system mints a unique verification token, the user adds the record at their registrar, and a verifier polls until the record resolves correctly before the domain is bound to the CMS site. WildcardCertificate is a specialisation that uses DNS-01 against the Cloudflare zone to issue *.federation.example certs without per-subdomain challenges. CloudflareWorkerDeployment models edge code per tenant — script, routes, KV bindings, secrets, and the deployment lifecycle — so canonical redirects, A/B tests, geo-routing, and custom auth checks can run at Cloudflare's edge instead of round-tripping to the origin.
Capacités clés
- ACME/Let's Encrypt certificate lifecycle with automatic renewal 30 days before expiry
- CloudflareDnsZone CRUD with state caching and live API proxy
- CloudflareDnsRecord with A/AAAA/CNAME/MX/TXT/NS/SRV and idempotent batch upsert
- DomainVerification via TXT or CNAME with unique verification tokens
- WildcardCertificate via DNS-01 against the configured Cloudflare zone
- CloudflareWorkerDeployment for edge logic with KV bindings and secrets
- Atomic certificate swap with rollback on validation failure
En pratique
A federation wants their CMS site to live at boule.example.fr instead of the platform default. The admin enters the domain; a DomainVerification is created with a TXT challenge — they paste the token at their DNS provider and click Verify, the platform polls and confirms within 60 seconds. Behind the scenes a CloudflareDnsZone is provisioned, a CNAME record points the apex to the platform's ingress, and an AcmeCertificate is requested via DNS-01 (since they also want *.boule.example.fr).
Let's Encrypt issues the cert, the platform binds it to the ingress, and the federation's CMS goes live with HTTPS. A CloudflareWorkerDeployment is added later to redirect /old-news/* to /news/* at the edge, saving an origin round-trip on every legacy link.
Fonctionnalités de ce sous-système
7| ID | Status | Fonctionnalités |
|---|---|---|
| F14.15.01 | Livré | ACME/Let's Encrypt certificate management — AcmeCertificate-samling tenant-scopad med automatisk certifikatutfärdande och förnyelse; för CMS-trafik: Caddy-baserad on-demand TLS via HTTP-01 challenge på vm-petanque-proxy med cert-persistens i Docker-volym (PL-T232) ✅ PL-F1415 + PL-T232 |
| F14.15.02 | Livré | Cloudflare DNS zone management — CloudflareDnsZone-samling tenant-scopad med zone CRUD och DNS-posthantering ✅ PL-F1415 |
| F14.15.03 | Livré | Cloudflare DNS record management — CloudflareDnsRecord-samling tenant-scopad med A/AAAA/CNAME/MX/TXT-poster ✅ PL-F1415 |
| F14.15.04 | Livré | Domain verification — DomainVerification-samling tenant-scopad med TXT/CNAME-verifieringsmetoder, WildcardCertificate för wildcard-certifikat ✅ PL-F1415 |
| F14.15.05 | Livré | Cloudflare Workers för edge computing — CloudflareWorkerDeployment-samling tenant-scopad med worker-konfiguration och deployment-hantering ✅ PL-F1415 |
| F14.15.06 | Livré | Caddy reverse proxy för CMS-trafik — vm-petanque-proxy Azure VM (B1s, statisk IP 20.238.51.13) kör Caddy 2.x i Docker; on-demand TLS via Let's Encrypt HTTP-01; cert-cache i volym caddy_data; reverse-proxy med header_up Host {host} till swa-petanque-web; gateas av /public/domains/cert-allowed-endpoint mot abuse; stabilt CNAME-target proxy.web.petanque.life för federationers egna domäner; ersätter Cloudflare for SaaS (PL-T046) som vilande alternativ (PL-T232) ✅ PL-T232 |
| F14.15.07 | Livré | Loopia DNS API-integration för auto-provisionering av plattform-subdomäner — services/sys/loopia_dns (XML-RPC mot https://api.loopia.se/RPCSERV) hookas in i POST/PATCH/DELETE /cms/sites/ så A-record <slug>.web.petanque.life → 20.238.51.13 skapas, byts eller tas bort automatiskt vid CmsSite-livscykelhändelser; dns_provisioning_status (pending/active/failed/disabled) + dns_provisioning_error + dns_provisioned_at på CmsSite för observability; POST /cms/sites/{id}/repair-dns för idempotent retry; reserverade slugs (proxy, _acme-challenge, test) blockerade; transient API-fel rullar inte tillbaka CmsSite-creation (PL-T235) ✅ PL-T235 |