acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.61k stars 4.99k forks source link

dns_he.sh support for dynamic TXT entries for improved security #5320

Open Gorgonbert opened 1 month ago

Gorgonbert commented 1 month ago

Hi,

Hurricane Electric has added a feature to enable the TXT validation for dynamic DNS domains. They announced the feature on https://dns.he.net/ (text below for convenience)

The current implementation of the "dns_he" script requires the credentials that give full access to all the DNS entries at the HE DNS service. The new feature of HE's DNS service offers the possibility to use credentials to one specific "TXT" entry and is therefore a lot more secure. If these credentials are leaked, only that specific entry can be compromised.

It would be highly desirable if the "dns_he" script could implement this feature.

In my research I found that "markkuleinio" has already submitted a new script to the dev branch (https://github.com/acmesh-official/acme.sh/issues/5237) but it's currently not moving forward.

Here is HE's description:

Dynamic TXT Records

We've received requests for dynamic TXT records for use with Let's Encrypt Certificates. We've added them in using the same basic ddns syntax that we already provide with the difference being the use of 'txt=' in place of 'myip='. You will need to create the dynamic TXT record from within the dns.he.net interface before you will be able to make updates. You will not be able to dynamically create and delete these TXT records as doing so would subsequently remove your ddns key associated with the record.

Authentication being passed in the URL % curl -4 "http://_acme-challenge.example.com:password@dyn.dns.he.net/nic/update?hostname=dyn.example.com&txt=evaGxfADs6pSRb..."

Authentication and Updating using GET % curl "https://dyn.dns.he.net/nic/update?hostname=_acme-challenge.example.com&password=password&txt=evaGxfADs6pSRb..."

Authentication and Updating using a POST % curl "https://dyn.dns.he.net/nic/update" -d "hostname=_acme-challenge.example.com" -d "password=password" -d "txt=evaGxfADs6pSRb..."

github-actions[bot] commented 1 month ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.