domeneshop / certbot-dns-domeneshop Goto Github PK

View Code? Open in Web Editor NEW

29.0 4.0 4.0 19 KB

Domeneshop DNS Authenticator plugin for certbot.

License: Apache License 2.0

Python 97.88% Dockerfile 2.12%

certbot certbot-plugin certbot-dns

certbot-dns-domeneshop's Introduction

certbot-dns-domeneshop

Domeneshop DNS Authenticator plugin for certbot.

This plugin automates the process of completing a dns-01 challenge by creating, and subsequently removing, TXT records using the Domeneshop API.

Named Arguments

`--dns-domeneshop-credentials`	domeneshop credentials INI file. (required)
`--dns-domeneshop-propagation-seconds`	The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record(Default: 120)

Note that for certbot 1.6.0 and older, a prefix (certbot-dns-domeneshop:) is required in front of the arguments, see the examples below. The prefix is also required in the credentials file.

Installation

pip install certbot-dns-domeneshop

Credentials

Use of this plugin requires a configuration file containing Domeneshop API credentials.

See the Domeneshop API documentation for more information (in Norwegian).

An example credentials.ini file:

dns_domeneshop_client_token=1234567890abcdef
dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs

The path to this file can be provided interactively or using the --dns-domeneshop-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file's contents.

CAUTION: You should protect these API credentials as you would the password to your Domeneshop user account. Users who can read this file can use these credentials to issue arbitrary API calls on your behalf. Users who can cause Certbot to run using these credentials can complete a dns-01 challenge to acquire new certificates or revoke existing certificates for associated domains, even if those domains aren't being managed by this server.

If applicable, we suggest that you create API credentials for domains used by your application, in order to reduce the potential impact of lost credentials.

Certbot will emit a warning if it detects that the credentials file can be accessed by other users on your system. The warning reads "Unsafe permissions on credentials configuration file", followed by the path to the credentials file. This warning will be emitted each time Certbot uses the credentials file, including for renewal, and cannot be silenced except by addressing the issue (e.g., by using a command like chmod 600 to restrict access to the file).

Examples

To acquire a single certificate for both example.com and www.example.com, waiting 120 seconds for DNS propagation (the default):

certbot certonly \
  --authenticator dns-domeneshop \
  --dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini \
  --dns-domeneshop-propagation-seconds 120 \
  -d example.com \
  -d www.example.com

If you are using certbot 1.6.0 or older, you should call the plugin with prefixes the prefix:

certbot certonly \
  --authenticator certbot-dns-domeneshop:dns-domeneshop \
  --certbot-dns-domeneshop:dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini \
  --certbot-dns-domeneshop:dns-domeneshop-propagation-seconds 120 \
  -d example.com \
  -d www.example.com

In this second example, make sure you are also adding the prefixes in ~/.secrets/certbot/domeneshop.ini (e.g. certbot-dns-domeneshop:dns_domeneshop_client_token). Certbot will fail to discover your credentials otherwise.

Docker image

A docker image is also available on Docker Hub.

Example usage (where the local directory /etc/letsencrypt/domeneshop.ini contains your secrets):

docker run --rm \
  -v /etc/letsencrypt:/etc/letsencrypt \
  -v /var/lib/letsencrypt:/var/lib/letsencrypt \
  domeneshop/certbot-dns-domeneshop \
  certonly \
  --authenticator dns-domeneshop \
  --dns-domeneshop-credentials /etc/letsencrypt/domeneshop.ini \
  --agree-tos \
  --email "[email protected]" \
  -d example.com

certbot-dns-domeneshop's People

Contributors

Stargazers

Watchers

Forkers

zlaski rokris wideassessment andreass2

certbot-dns-domeneshop's Issues

error: unrecognized arguments

Trying to use your plugin with the example listed in the README yields the following error

certbot: error: unrecognized arguments: --dns-domeneshop-credentials /path/to/domeneshop.ini --dns-domeneshop-propagation-seconds 120

running certbot plugins shows that I do ineed have the plugin installed

$ certbot plugins

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* dns-domeneshop
Description: Obtain certificates using a DNS TXT record (if you are using
Domeneshop for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-domeneshop',
value='certbot_dns_domeneshop.dns_domeneshop:Authenticator',
group='certbot.plugins')

I am running pip package version is certbot-dns-domeneshop 0.2.9 and I am running certbot version 2.10.0

Feature request: custom Kubernetes cert-manager webhook DNS01 challenge resolver

Hello, certbot-dns-domeneshop is great when using certbot! 👍🏼

We recently switched to Kubernetes which uses a similar concept as certbot called cert-manager. Cert-manager works great for requesting regular certificates from letsencrypt, but for wildcard certificates we need to hook up a DNS01 challenge resolver. Cert-manager supports a few well-known DNS providers, and has a webhook option which allows DNS providers to add support.
custom cert-manager webhook implementation.

It would be awesome if you could develop a custom cert-manager webhook implementation 🍰 🌻 What do you think? 😄

The requested dns-domeneshop plugin does not appear to be installed

Following the install and usage instructions in the readme file, certbot quits with error:

The requested dns-domeneshop plugin does not appear to be installed

Command I run:
certbot certonly --authenticator dns-domeneshop -d '*.example.org'

Command run to install:
pip install certbot-dns-domeneshop

pip --version
pip 22.2.2 from /usr/lib/python3.11/site-packages/pip (python 3.11)

certbot --version
certbot 2.1.0

OS: Fedora 37

/var/log/letsencrypt/letsencrypt.log
----------------
2023-03-11 18:07:11,393:DEBUG:certbot._internal.main:certbot version: 2.1.0
2023-03-11 18:07:11,394:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-11 18:07:11,394:DEBUG:certbot._internal.main:Arguments: ['--authenticator', 'dns-domeneshop', '-d', '*.example.org']
2023-03-11 18:07:11,394:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-11 18:07:11,410:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-11 18:07:11,410:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-domeneshop and installer None
2023-03-11 18:07:11,410:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2023-03-11 18:07:11,411:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/lib/python3.11/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/certbot/_internal/main.py", line 1736, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/certbot/_internal/main.py", line 1571, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/certbot/_internal/plugins/selection.py", line 255, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python3.11/site-packages/certbot/_internal/plugins/selection.py", line 373, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The requested dns-domeneshop plugin does not appear to be installed
2023-03-11 18:07:11,412:ERROR:certbot._internal.log:The requested dns-domeneshop plugin does not appear to be installed

minor adjustment in documentation...

using certbot 1.9.0

Exampe:

from

certbot certonly
--authenticator certbot-dns-domeneshop:dns-domeneshop
--certbot-dns-domeneshop:dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini
--certbot-dns-domeneshop:dns-domeneshop-propagation-seconds 120
-d example.com
-d www.example.com

certbot certonly
--authenticator dns-domeneshop
--certbot-dns-domeneshop:dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini
--certbot-dns-domeneshop:dns-domeneshop-propagation-seconds 120
-d example.com
-d www.example.com

credentials.ini

from:

certbot_dns_domeneshop:dns_domeneshop_client_token=1234567890abcdef
certbot_dns_domeneshop:dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs

to
dns_domeneshop_client_token=1234567890abcdef
dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs

module 'certbot.interfaces' has no attribute 'IAuthenticator'

Just discovered this. From version 2.0.0 of Certbot they have removed zope.

More info:

Workaround is to run the previous version of Certbot.

Recent update breaks plugin for earlier versions of certbot

The current version of the plugin does not work distros with a slower release cycle, like debian 11, that currently has certbot 1.12.0 in the repos.

Current workaround is to downgrade the plugin.

pip3 install --upgrade certbot-dns-domeneshop==0.2.8

No TXT Record Found

I get a "No TXT record found at _acme-challenge..no" when attempting to run the plugin. Not sure why, but the challenge seems to run two times. Output from log below:

Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for <my domain>.no
dns-01 challenge for <my domain>.no
Unsafe permissions on credentials configuration file: /config/dns-conf/domeneshop.ini
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain <my domain>.no
Challenge failed for domain <my domain>.no
dns-01 challenge for <my domain>.no
dns-01 challenge for <my domain>.no
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <my domain>.no
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.<my domain>.no

   Domain: <my domain>.no
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.<my domain>.no

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Plugin not listed in Certbot documentation

In the documentation of certbot (certbot DNS Plugins], this plugin is not mentioned.

Is there a reaseon for it?
Is this plugin still working with the latest version of certbot?

Make plugin available on snap

Hi!
Would it be possible for you to create a snap package for this?

I have tried (and failed) to install certbot and this plugin through pip3. I think having it available as a snap package instead would fix it, but im not sure.

> certbot --version
certbot 1.28.0

> certbot plugins

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator

* standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> python3 -m pip list | grep cert

certbot                1.23.0
certbot-dns-domeneshop 0.2.8
certifi                2018.1.18

> sudo certbot certonly \
  --test-cert \
  --authenticator dns-domeneshop \
  --dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini \
  --dns-domeneshop-propagation-seconds 120 \
  --config-dir ./config \
  --work-dir ./work \
  --logs-dir ./logs \
  -d example.no

certbot: error: unrecognized arguments: --dns-domeneshop-credentials ~/.secrets/certbot/domeneshop.ini --dns-domeneshop-propagation-seconds 120

Thanks in advance! 😄

Not able to install using documentation

$ pip install certbot-dns-domeneshop
Collecting certbot-dns-domeneshop
  Could not find a version that satisfies the requirement certbot-dns-domeneshop (from versions: )
No matching distribution found for certbot-dns-domeneshop

(trying pip3 install … works as sudo but certbot-auto does not find the module, pip3 install … as regular user ends up with core dump)

--certbot-dns-domeneshop:dns-domeneshop-credentials not read by certbot

# certbot certonly \
>   --authenticator dns-domeneshop \
>   --certbot-dns-domeneshop:dns-domeneshop-credentials /root/.secrets/domeneshop.ini \
>   --certbot-dns-domeneshop:dns-domeneshop-propagation-seconds 120 \
>   -d mon.yo.lo
^[[3~Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-domeneshop, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mon.yo.lo
Cleaning up challenges
File not found: /etc/letsencrypt/domeneshop.ini

# certbot --version
certbot 1.8.0

# pip list
<snip>
certbot-dns-domeneshop (0.2.8)
domeneshop (0.4.2)