search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
38.79k stars 4.92k forks source link

dns.he.net - Dynamic TXT Records #3512

Open yoursunny opened 3 years ago

yoursunny commented 3 years ago

Hurricane Electric Hosted DNS introduced dynamic TXT records sometime in 2020. It is now possible to use acme.sh DNS API with a dynamic update key instead of the HE.net account password.

Script ~/.acme.sh/dnsapi/dns_hedyn.sh:

#!/usr/bin/bash

dns_hedyn_add() {
  fulldomain=$1
  txtvalue=$2

  HEdyn_key="${HEdyn_key:-$(_readdomainconf HEdyn_key)}"
  if [ "$HEdyn_key" ]; then
    _savedomainconf HEdyn_key "$HEdyn_key"
  elif [ -z "$HEdyn_key" ]; then
    _err "You didn't specify HEdyn_key environment variable."
    return 1
  fi

  hostname_encoded="$(printf "%s" "${fulldomain}" | _url_encode)"
  password_encoded="$(printf "%s" "${HEdyn_key}" | _url_encode)"
  txt_encoded="$(printf "%s" "${txtvalue}" | _url_encode)"
  body="hostname=${hostname_encoded}&password=${password_encoded}&txt=${txt_encoded}"
  response=$(_post "$body" "https://dyn.dns.he.net/nic/update")
  test $response == 'good'
}

Usage:

  1. Create a TXT record _acme-challenge.subdomain.example.com with "dynamic DNS" enabled.
  2. Generate a dynamic DNS update key.

  3. Run this command:

    export HEdyn_key=l3gIC7zrcUVUfo8z
acme.sh --issue --staging --dns dns_hedyn -d subdomain.example.com

A major limitation of my script is that it cannot support having both -d subdomain.example.com and -d *.subdomain.example.com on the same certificate. That would require two TXT records with the same name _acme-challenge.subdomain.example.com but different values, which isn't possible using this method.

For this reason, my script is ineligible for the mainline codebase. Nevertheless, I decide to post it here in case others are looking for something similar.

Neilpang commented 3 years ago

thanks, did you try to use multiple &txt=${txt_encoded} in the url ?

yoursunny commented 3 years ago

use multiple &txt=${txt_encoded}

Specifying more than one &txt= parameter: dyndns returns "badtxt" response.

Creating more than one TXT record in DNS panel: only the last TXT record can be updated. Others return "badauth" response.

ghost commented 2 years ago

This would not work with different -d domain.name -d domain2.name with different keys in the DDNS.

pmarks-net commented 1 year ago

Pull request: https://github.com/acmesh-official/acme.sh/pull/4318