search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.74k stars 4.92k forks source link

update dnsapi/dns_he.sh to use the "API" #3406

Open kraygy opened 3 years ago

kraygy commented 3 years ago

The README file states that Hurricane Electric doesn't have an API but it has been updated. While not logged into a Hurricane Electric account the documentation on the call is available here: https://dns.he.net/

It's more secure that providing the username/password to the entire account. The username/password for the dynamic dns updates are limited to the specify record.

The three existing functions in the code can be modified to be just these two.

dns_he_add() {
  _txt_value=$2
  _info "Using DNS-01 Hurricane Electric hook"

  HE_Username="${HE_Username:-$(_readaccountconf_mutable HE_Username)}"
  HE_Password="${HE_Password:-$(_readaccountconf_mutable HE_Password)}"
  if [ -z "$HE_Username" ] || [ -z "$HE_Password" ]; then
    HE_Username=
    HE_Password=
    _err "No auth details provided. Please set user credentials using the \$HE_Username and \$HE_Password environment variables."
    return 1
  fi
  _saveaccountconf_mutable HE_Username "$HE_Username"
  _saveaccountconf_mutable HE_Password "$HE_Password"

  username_encoded="$(printf "%s" "${HE_Username}" | _url_encode)"
  password_encoded="$(printf "%s" "${HE_Password}" | _url_encode)"
  body="hostname=${username_encoded}&password=${password_encoded}&txt=$_txt_value"
  response="$(_post "$body" "https://dyn.dns.he.net/nic/update")"
  exit_code="$?"
  if [ "$exit_code" -eq 0 ]; then
    _info "TXT record added successfully."
  else
    _err "Couldn't add the TXT record."
  fi
  _debug2 response "$response"
  return "$exit_code"
}

#-- dns_he_rm() - Remove TXT record ------------------------------------
# Usage: dns_he_rm _acme-challenge.subdomain.domain.com "XyZ123..."

dns_he_rm() {
  _info "TXT removal not supported by Hurricane Electric"
  return 0
}
aduzsardi commented 3 years ago

this is clearly the better approach but it has a couple of caveats

overall , would still use the limited API as it is instead of curl-ing/parsing the html body responses

thank you for the info @kraygy

colinbowern commented 3 years ago

Since you can set the DDNS key to the same across multiple entries, I would propose a more compatible offering would be to not re-use HE_Username, but instead, take in the full domain as per the original script. For example:

#!/usr/bin/env sh
# source: https://github.com/acmesh-official/acme.sh/issues/3406

dns_he_add() {
  _full_domain=$1
  _txt_value=$2
  _info "Using DNS-01 Hurricane Electric hook"

  HE_Username="${HE_Username:-$(_readaccountconf_mutable HE_Username)}"
  HE_Password="${HE_Password:-$(_readaccountconf_mutable HE_Password)}"
  if [ -z "$HE_Username" ] || [ -z "$HE_Password" ]; then
    HE_Username=
    HE_Password=
    _err "No auth details provided. Please set user credentials using the \$HE_Username and \$HE_Password environment variables$    return 1
  fi
  _saveaccountconf_mutable HE_Username "$HE_Username"
  _saveaccountconf_mutable HE_Password "$HE_Password"

  hostname_encoded="$(printf "%s" "$_full_domain" | _url_encode)"
  username_encoded="$(printf "%s" "${HE_Username}" | _url_encode)"
  password_encoded="$(printf "%s" "${HE_Password}" | _url_encode)"
  body="hostname=${hostname_encoded}&password=${password_encoded}&txt=$_txt_value"
  response="$(_post "$body" "https://dyn.dns.he.net/nic/update")"
  exit_code="$?"
  if [ "$exit_code" -eq 0 ]; then
    _info "TXT record added successfully."
  else
    _err "Couldn't add the TXT record."
  fi
  _debug2 response "$response"
  return "$exit_code"
}

#-- dns_he_rm() - Remove TXT record ------------------------------------
# Usage: dns_he_rm _acme-challenge.subdomain.domain.com "XyZ123..."

dns_he_rm() {
  _info "TXT removal not supported by Hurricane Electric"
  return 0
}
jcarius commented 3 years ago

Hi All,

I highly anticipated the HE DNS API and just came across this thread. Is there a reason why it is not merged yet? Is there an unresolved problem that I missed?

yoursunny commented 3 years ago

I searched previously for "HE.net" for open issues but didn't find this, but today I searched nic/update and found this. I already created my own similar script https://github.com/acmesh-official/acme.sh/issues/3512 , and I listed a few limitations of this approach in that issue.

pmarks-net commented 1 year ago

Pull request: https://github.com/acmesh-official/acme.sh/pull/4318