jeansergegagnon / zoneedit_letsencrypt Goto Github PK

Hey there,

Thanks for this script! Have you thought of making it work with certbot & --manual-auth-hook without having to use getcert-wilddns-with-zoneedit.sh ? As in, certbot has its own requets & renewal methods, why implement them again here?

If I am missing something feel free to tell me 😎

Cheers,
Jason

I've got certbot scheduled to run automatically and it's calling certbot-dns-updater-with-zoneedit.sh, which then calls zoneedit.sh. The most recent run failed due to ZoneEdit adding two factor auth, so I pulled your latest commits to switch to a DYN token, which did work, but it is adding more TXT records every time I run it and not cleaning up the old ones.

I see you added the code at https://github.com/jeansergegagnon/zoneedit_letsencrypt/blob/master/getcert-wilddns-with-zoneedit.sh#L207-L240 to remove the old records, but that's only running if you use the getcert-wilddns-with-zoneedit.sh script, which I'm not (specifically because I include both *.domain.com and domain.com as SANs in my cert).

It looks like the getcert-wilddns-with-zoneedit.sh triggers a certbot run, which then calls certbot-dns-updater-with-zoneedit.sh -> zoneedit.sh, so it looks like if you just move the delete code into one of those scripts it would get called in all scenarios instead of just when using getcert-wilddns-with-zoneedit.sh?

An example of a valid SPF record:
v=spf1 include:spf.migadu.com -all

This results in the following curl command line options:
-d TXT::2::host=@ -d TXT::2::txt=v=spf1 include:spf.migadu.com -all -d TXT::2::ttl=

Where both the white space and the "-all" will be causing problems.

This results in a txt record where only the first part "v=spf1" is used which cannot be saved as zoneedit checks SPF records for validity. I would really appreciate it if you could fix this!

Hi & thanks for your scripts.

I was trying to renew my certificate and it failed. I went to check the SPF TXT record which seemed to be causing the error you mention but I saw 2 TXT _acme-challenge records, which seems odd but I thought perhaps I left an old one.

I deleted both of those, kept my SPF and retried. This time the script worked fine.

The question is as the subject above, why create 2 different records? Or more to the point, why is one of those making the script fail.

Actually the log did show exactly that:

   Domain: sample.org
   Type:   unauthorized
   Detail: Incorrect TXT record
   "37dOpkVV_Sz719tlbsRbd6NrVyS_UwlwETOxWFhDm88" (and 1 more) found at
   _acme-challenge.sample.org

That was the first record, the second had exactly what the actual acme-challenge was.

Hi there. Not sure this set of scripts are valid since zoneedit's efforts on this seem in limbo. But I've tried with this and I'm confused on some items.

ERROR: Please set CERTBOTDIR before running this script or add certbot-auto to PATH

I'm not clear what you mean by CERTBOTDIR. I've mkdir ~/certbot and found the /bin/certbot binary, however there is no certbot-auto binary that I can find, nor any installer under yum nor dnf.

Any chance you can provide some leadership? Cheers

In the new versions of certbot, certbot-auto is deprecated - https://community.letsencrypt.org/t/certbot-auto-deprecated-explanation-and-solutions/139821. I tried to use your script without "-c" but it I was receiving the following error:
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.

My suggestion is to use certbot by default and deprecate the old certbot-auto

I was trying to run the script with "-a", however I received the following error:

Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

It successfully ran after replacing the --manual-public-ip-logging-ok with --email <email_address>. My suggestion is have a argument where we can insert the email address - a different one of "-e" arg.

As described here:
https://github.com/blueslow/sslcertzoneedit

Zoneedit has added an Dyn end point for creating TXT records.