Let'sEncrypt: dns-he: unable to set up DNS validation of subdomain about addons HOT 2 CLOSED

Meanwhile, I dug into the problem in detail. What I found is the following:

First, a bit of history:

• Back in the late 2010s, when Lets Encrypt and ACME were introduced, HE had no such feature as "dynamic TXT record". The only way to add a TXT was to log into their website and add it manually. The feature was asked for, but they didn't implemented it instantly.
• Meanwhile, the community, or more precisely, tsaaristo did not wait for them and in 2019 made a makeshift "client" for HE, which actually simulated a flesh-blood user's activity on the web interface (as no API was available). This "client" was uploaded to Github and then to PyPI as "certbot-dns-he 1.0.0". However, it has a serious flaw: it can only work as long as the name of the domain to be updated matches the DNS zone name, that is, it works only for the root domain within the zone.
• Sometime in 2020, HE implemented their dynamic TXT feature, allowing the provisioning of TXT records via an API. By that time, certbot already used the certbot-dns-he plugin, so the new API went ignored. That plugin was forked several times on Github, with the problematic part (handling of the case where zone and domain name is different) rectified.

The situation from HA's perspective is rather problematic because of the following:

• The original "certbot-dns-he 1.0.0" of tsaaristo at Github is a dead repo: it was not touched since its initial commit in 2019. It has open issues and pull requests with the needed fix... unanswered and unmerged since 2020.
• The "certbot-dns-he 1.0.0" package on PyPI (also (un)authored by tsaaristo) is also stale since 2019.
• On "ordinary" systems, this is not a problem: as long as one needs just dynamic DNS (the primary benefit of HE) with TLS without subdomains (the usual use-case) that's OK out-of-the-box. If one indeed does need subdomains, one may simply use a patched version of the certbot-dns-he plugin from Github.
• On Home Assistant, as long as your instance is offline or online via HA Cloud or online in your root domain, that's OK. But if you want to put your HA under a subdomain (e.g. you have other TLS-using servers behind the same public IP and you want neither to have the private key shared across multiple systems nor have multiple valid certs for the same domain out there) then you have the problem: since the add-on is isolated into a Docker container and has its own way of pulling its dependencies (the original certbot-dns-he 1.0.0 among them), you cannot simply replace the flawed PyPI version with another Github fork.

Currently, I see the following possiblity of solving the problem. First, it has to be ensured that a correctly-functioning version of certbot-dns-he is available on PyPI (as HA add-ons pull their dependencies from there). I try to reach out to tsaaristo and ask him politely to merge the stalled PR from 2020. If this fails, one of the forked versions needs to be added to PyPI. Second, in any case, the dependency listing in LetsEncrypt add-on has to be updated to pull-in the corrected version.

from addons.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from addons.