couchtyp / certbot-dns-schlundtech Goto Github PK

SchlundTech XML Gateway DNS Authenticator plugin for EFF's Certbot

License: MIT License

Python 99.48% Dockerfile 0.52%

letsencrypt-plugin letsencrypt python acme-v2

certbot-dns-schlundtech's Introduction

SchlundTech XML Gateway DNS Authenticator plugin for Certbot

The certbot_dns_schlundtech.dns_schlundtech plugin automates the process of completing a dns-01 challenge (acme.challenges.DNS01) by creating, and subsequently removing, TXT records using the SchlundTech XML Gateway API.

Named Arguments

Argument	Description
`--dns-schlundtech-credentials`	SchlundTech credentials_ INI file. (Required)
`--dns-schlundtech-propagation-seconds`	The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record. (Default: 60)

Credentials

Use of this plugin requires a configuration file containing SchlundTech XML Gateway API credentials:

user
password
context
token

# credentials.ini
dns_schlundtech_user = 54321
dns_schlundtech_password = PASSWORD
dns_schlundtech_context = 10
dns_schlundtech_token = SECRET-2FA-TOKEN

The path to this file can be provided interactively or using the --dns-schlundtech-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file's contents.

Caution
You should protect these credentials. Users who can read this file can use these credentials to issue some types of API calls on your behalf, limited by the permissions assigned to the account. Users who can cause Certbot to run using these credentials can complete a dns-01 challenge to acquire new certificates or revoke existing certificates for domains these credentials are authorized to manage.

Examples

To acquire a certificate for `example.com`:

certbot certonly \
    --server https://acme-v02.api.letsencrypt.org/directory \
    -a dns-schlundtech \
    --dns-schlundtech-credentials ~/.secrets/certbot/schlundtech.ini \
    -d example.com

To acquire a single certificate for both `example.com` and `www.example.com`:

certbot certonly \
    --server https://acme-v02.api.letsencrypt.org/directory \
    -a dns-schlundtech \
    --dns-schlundtech-credentials ~/.secrets/certbot/schlundtech.ini \
    -d example.com \
    -d www.example.com

To acquire a certificate for `example.com`, waiting 60 seconds for DNS propagation:

certbot certonly \
    --server https://acme-v02.api.letsencrypt.org/directory \
    -a dns-schlundtech \
    --dns-schlundtech-credentials ~/.secrets/certbot/schlundtech.ini \
    --dns-schlundtech-propagation-seconds 60 \
    -d example.com

Using docker

Using the provided Dockerfile you can create a docker container based on the original certbot/certbot image plus this plugin. Using the --pull option makes sure the latest certbot image is pulled.

docker build --pull -t certbot/dns-schlundtech .

The resulting container image can be run with the options provided above.

docker run -it --rm \
    -v /etc/letsencrypt:/etc/letsencrypt \
    -v /var/lib/letsencrypt:/var/lib/letsencrypt \
    -v /var/log/letsencrypt:/var/log/letsencrypt \
    -v /tmp:/tmp \
    certbot/dns-schlundtech \
        certonly \
        --server https://acme-v02.api.letsencrypt.org/directory \
        -a dns-schlundtech \
        --dns-schlundtech-credentials /etc/letsencrypt/schlundtech.ini \
        -d example.com

certbot-dns-schlundtech's People

Contributors

Stargazers

Watchers

Forkers

jdelic vemaeg jurica wilfriedwolf stefango79

certbot-dns-schlundtech's Issues

Readme Manual

Hi,
if i understand right, this plugin could be helpful for renewing wildcard certificates for schlundtech customers. Would you please provide a small manual ?

wildcard and none wildcard cert from same domain issues "TXT record .. already exists ..."

I'm trying to get a certificate with -d *.domain.de -d domain.de

this is for getting a correct https redirect from domain.de -> whatever.domain.de

in this combination i got an Error
...
Cleaning up challenges
TXT record _acme-challenge.domain.de for domain.de already exists with different value

the former manual setup (copy / paste) TXT record to schlund-tech web-config is working

Thanks for your Work!

Issue wildcard, setup pip modules acme,certbot > 0.22

I issued wildcard certs and needed to install newer versions of acme,certbot (>0.22).
Basically edit {{local-oldest-requirements.txt}} and update to actual version 0.26.

Subdomains with more than two levels do not work

Hi there,

I wanted to generate a wildcard certificate in the form of -d *.sub.example.tld with your wonderful plugin but unfortunately noticed that it did not work.

Anyhow since I am courious and wanted to learn some python I just made extended the plugin in such a way, that it works now.

PR is comming.

Best regards,

Willi

Support 2FA

If 2FA is enabled (new webinterface only), accessing the XML API does not work any more and teh Zones can't be changed.

Can't create certificate without 2FA

We created sucessfully a wildcard certificate some months ago without using 2FA. When I try to renew the certificate I get the following message:

Missing property in credentials configuration file /etc/letsencrypt/schlund.ini:
 * Property "dns_schlundtech_token" not found (should be the 2FA token to use, optional).

When I add the missing property with a random value (because we don't use 2FA) Schlundtech reports, that the zone can't be found:

Encountered exception during recovery: certbot.errors.PluginError: Unable to find a SchlundTech zone for example.de
Unable to find a SchlundTech zone for example.de

We used the following command to initialy create the certificate:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -a dns-schlundtech --dns-schlundtech-credentials /etc/letsencrypt/schlund.ini --dns-schlundtech-propagation-seconds 60 --domains *.example.de --email [email protected]

I'm wondering, how we could create the certificate initialy with success? Is there a way to renew the certificate without enabling the 2FA at Schlundtech?

Snap support

Is there a chance to add snap support for your plugin?

I recently needed to switch from to snap certbot version.

Thanks in advance

Release on pypi

Not sure if I'm missing anything, but it seems you haven't released your package on pypi. This is what I would have assumed to be the project url: https://pypi.org/project/certbot-dns-schlundtech/ but also with the search function I cannot find anything.

If I can be of any help providing the plugin on pypi, I'd love to assist, as I already have a few packages of my own on pypi.

Deprecation warning when using the plugin

when running the plugin, I'm getting this warning:

Plugin legacy name certbot-dns-schlundtech:auth may be removed in a future version. Please use auth instead.

I'm not sure I understand what this is trying to tell me - can you provide me with some pointers as to how to help debug best?

couchtyp / certbot-dns-schlundtech Goto Github PK

certbot-dns-schlundtech's Introduction

SchlundTech XML Gateway DNS Authenticator plugin for Certbot

Named Arguments

Credentials

Examples

To acquire a certificate for example.com:

To acquire a single certificate for both example.com and www.example.com:

To acquire a certificate for example.com, waiting 60 seconds for DNS propagation: