Skip to content

TotalTls

Source: src/Cloudflare/Acm/TotalTls.ts

The Total TLS setting of a Cloudflare zone (/zones/{zone_id}/acm/total_tls).

Total TLS orders a hostname-specific TLS certificate for every proxied A, AAAA, or CNAME record in the zone, covering deep subdomains that the universal certificate’s single-level wildcard cannot. The setting is a zone singleton — it always exists (default disabled), so this resource never creates or deletes anything physical. Reconcile posts the setting when the observed state differs from the desired one; destroy restores the state the zone had before Alchemy first managed it (captured as initialEnabled / initialCertificateAuthority).

Entitlement-gated: configuring Total TLS requires the Advanced Certificate Manager add-on on the zone. Without it, every write fails with the typed AdvancedCertificateManagerRequired (code 1450) error (reads succeed and report enabled: false).

Only one TotalTls resource per zone makes sense — two instances managing the same zone would fight over the singleton.

Managing Total TLS

Section titled “Managing Total TLS”

Enable Total TLS on a zone

const zone = yield* Cloudflare.Zone("Site", { name: "example.com" });


yield* Cloudflare.TotalTls("TotalTls", {
  zoneId: zone.zoneId,
  enabled: true,
});

Pin the issuing Certificate Authority

yield* Cloudflare.TotalTls("TotalTls", {
  zoneId: zone.zoneId,
  enabled: true,
  certificateAuthority: "lets_encrypt",
});