badjware / certbot-dns-cpanel Goto Github PK
View Code? Open in Web Editor NEWcertbot plugin to allow acme dns-01 authentication of a name managed in cPanel
License: Other
certbot plugin to allow acme dns-01 authentication of a name managed in cPanel
License: Other
I'm trying to configure an automated setup for all my little things that I have behind several reverse proxies and therefore need a wildcard certificate to make the whole process less cumbersome. The big problem: my DNS provider only allows logging into cPanel through their own webhosting portal - and that works without actually giving me the password for the cPanel user. This is a problem if you want to use the plugin that relies on full user login credentials.
However, I've found a way to address the cPanel UI by using an API key that I created with said cPanel user, and that works when running requests manually against the API, such as:
curl -H'Authorization: cpanel ${my_user}:${my_api_key}' 'https://${my_domain}:2083/execute/DNS/lookup?domain=${my_domain}'
When debugging the dns_cpanel.py
script to find out how to adapt it I noticed it is using basic_auth
with base64 encoding. As a simple workaround for myself I've replaced the lines in the original script (https://github.com/badjware/certbot-dns-cpanel/blob/master/certbot_dns_cpanel/dns_cpanel.py#L79-L83)
self.headers = {
'Authorization': 'Basic %s' % base64.b64encode(
("%s:%s" % (username, password)).encode()
).decode('utf8')
}
with this:
self.headers = {
'Authorization': 'cpanel %s:%s' % (username, password)
}
This works well with the JSON api the script using. Maybe something like this is worth to be included, or if this is too much effort to implement in a more reliable and secure way (though since these configs are plain text there isn't much to secure anyway...).
Let me know if you'd like to work on this on your end or if it makes more sense to run a seperate plugin for this.
certbot 0.31.0
certbot-dns-cpanel 0.2.1
sudo certbot certonly \
--authenticator certbot-dns-cpanel:cpanel \
--certbot-dns-cpanel:cpanel-credentials cpanel-credentials.ini \
-d 'my.domain.tld' -d '*.my.domain.tld'
certbot: error: unrecognized arguments: --certbot-dns-cpanel:cpanel-credentials cpanel-credentials.ini
[~] certbot plugins
certbot-dns-cpanel:cpanel
Description: Obtain a certificate using a DNS TXT record in cPanel
Interfaces: IAuthenticator, IPlugin
Entry point: cpanel = certbot_dns_cpanel.dns_cpanel:Authenticator
Running Raspbian Buster Lite:
Linux host.mydomain.tld 4.19.88-v7l+ #1284 SMP Wed Dec 11 13:51:57 GMT 2019 armv7l GNU/Linux
I regularly experience the newly created DNS record not being available after just 10 seconds. How can I make it wait longer than 10 seconds?
Testing and releasing manually is cumbersome.
Evaluate the options for cicd and write a pipeline to automate all of this.
Thanks for the great work on this.
I've made the cert by running:
certbot --authenticator certbot-dns-cpanel:cpanel --installer nginx --certbot-dns-cpanel:cpanel-credentials /etc/letsencrypt/cpanel_dns_credentials.ini --agree-tos -w /var/www/certbot --email [email protected] -d domain.com -d *.domain.com --force-renewal
I've experienced an error while trying to run the certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/domain.com.conf (cert: domain.com) produced an unexpected error: 'Namespace' object has no attribute 'certbot_dns_cpanel:cpanel_credentials'. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/domain.com.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
Content of /etc/letsencrypt/renewal/domain.com.conf
root@7714b64abcc2:/# cat /etc/letsencrypt/renewal/domain.com.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/domain.com
cert = /etc/letsencrypt/live/domain.com/cert.pem
privkey = /etc/letsencrypt/live/domain.com/privkey.pem
chain = /etc/letsencrypt/live/domain.com/chain.pem
fullchain = /etc/letsencrypt/live/domain.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxx
authenticator = certbot-dns-cpanel:cpanel
webroot_path = /var/www/certbot,
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx
certbot_dns_cpanel:cpanel_credentials = /etc/letsencrypt/cpanel_dns_credentials.ini
[[webroot_map]]
Content of log /var/log/letsencrypt/letsencrypt.log
root@7714b64abcc2:/# cat /var/log/letsencrypt/letsencrypt.log
2020-06-21 13:49:17,427:DEBUG:certbot.main:certbot version: 0.31.0
2020-06-21 13:49:17,427:DEBUG:certbot.main:Arguments: []
2020-06-21 13:49:17,428:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-21 13:49:17,444:DEBUG:certbot.log:Root logging level set at 20
2020-06-21 13:49:17,444:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-21 13:49:17,458:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f0ed022bd68> and installer <certbot.cli._Default object at 0x7f0ed022bd68>
2020-06-21 13:49:17,458:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/domain.com.conf (cert: domain.com) produced an unexpected error: 'Namespace' object has no attribute 'certbot_dns_cpanel:cpanel_credentials'. Skipping.
2020-06-21 13:49:17,463:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 419, in handle_renewal_request
renewal_candidate = _reconstitute(lineage_config, renewal_file)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 86, in _reconstitute
_restore_plugin_configs(config, renewalparams)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 154, in _restore_plugin_configs
if config_item.startswith(plugin_prefix + "_") and not cli.set_by_cli(config_item):
File "/usr/lib/python3/dist-packages/certbot/cli.py", line 219, in set_by_cli
if not isinstance(getattr(detector, var), _Default):
AttributeError: 'Namespace' object has no attribute 'certbot_dns_cpanel:cpanel_credentials'
2020-06-21 13:49:17,464:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 0 renew failure(s), 1 parse failure(s)
The machine is a Debian 10 (in docker)
Versions:
root@7714b64abcc2:/# python3 --version
Python 3.7.3
root@7714b64abcc2:/# certbot --version
certbot 0.31.0
Trying to use certbot-dns-cpanel against a subdomain hosted with Cpanel 102.0.23.
There an add-on domain, yarxi.ru. There is a subdomain underneath that, test.yarxi.ru. I'm issuing the following command:
certbot run --authenticator certbot-dns-cpanel:cpanel --installer certbot-dns-cpanel:cpanel --certbot-dns-cpanel:cpanel-credentials cred.ini --logs-dir . --config-dir . --work-dir . -d test.yarxi.ru,www.test.yarxi.ru
and getting the following output:
Saving debug log to /home/seva/ssl/yx.ru/letsencrypt.log
Plugins selected: Authenticator certbot-dns-cpanel:cpanel, Installer certbot-dns-cpanel:cpanel
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for test.yarxi.ru
dns-01 challenge for www.test.yarxi.ru
Cleaning up challenges
Error adding TXT record: Unable to find SOA record.
The debug log is attached.
EDIT: it boils down to an error in response to the ZoneEdit/add_zone_record
API method:
2023-01-04 12:19:59,120:DEBUG:certbot_dns_cpanel.dns_cpanel:add_zone_record: url='http://www.example.com:2082/json-api/cpanel', data='{
"cpanel_jsonapi_user": "johndoe",
"cpanel_jsonapi_apiversion": "2",
"cpanel_jsonapi_module": "ZoneEdit",
"cpanel_jsonapi_func": "add_zone_record",
"domain": "test.boo.org",
"name": "_acme-challenge",
"type": "TXT",
"txtdata": "s5tJpM0ACh1aGkJs1kFSpIM_rk1Qnholop71hgR_d3I",
"ttl": 60
}', response data='{
"postevent": {
"result": 1
},
"apiversion": 2,
"event": {
"result": 1
},
"data": [
{
"result": {
"status": 0,
"newserial": null,
"statusmsg": "Unable to find SOA record."
}
}
],
"func": "add_zone_record",
"module": "ZoneEdit",
"preevent": {
"result": 1
}
}'
That's misconfiguration of the site, not a bug in certbot-dns-cpanel.
It's currently not working in combination with a certbot-dns-cloudflare plugin to generate wildcard certificates with dns method.
https://certbot-dns-cloudflare.readthedocs.io/en/stable/
Unknown argument error.
This is the process I'm trying to achieve.
Auto generates wildcard certificate every 3 months using the certbot-dns-cloudflare plugin with DNS method and then using this certbot-dns-cpanel plugin, install the certificate in Cpanel on each certification generation.
Is there a possibility that you can make work these two together?
Hi badjware,
I found an issue with wildcards on .co.uk domains which I fixed in a fork here:
IainKay@1fe8c72
When I try using the plugin as it is included with the linuxserver/swag docker container I'm getting a warning message saying the plugin name format is considered 'legacy' now:
root@47ec7d874239:/# certbot certonly --authenticator certbot-dns-cpanel:cpanel --certbot-dns-cpanel:cpanel-credentials
/config/dns-conf/cpanel.ini -d 'my-domain.com' -d '*.my-domain.com' -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin legacy name certbot-dns-cpanel:cpanel may be removed in a future version. Please use cpanel instead.
Plugins selected: Authenticator certbot-dns-cpanel:cpanel, Installer None
Requesting a certificate for my-domain.com and *.my-domain.com
Performing the following challenges:
...
While debugging the plugin for a different issue I've also stumbled upon this and was able to get around it by using the following command instead with respective changes to the config as well.
Command:
certbot certonly --authenticator cpanel --cpanel-credentials /config/dns-conf/cpanel.ini -d 'my-domain.com' -d '*.my-domain.com'
Config:
cpanel_url = https://my-domain.com:2083
cpanel_username = my_user
cpanel_password = my_pw
However, this for now is more of a cosmetic problem than an actual issue - but who knows when the old format is going to get removed from the bot?...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.