dhull / certbot-dns-joker

Certbot DNS Authenticator plugin for Joker.
Other
13 stars 8 forks source link

certbot-dns-joker

Certbot DNS Authenticator plugin for Joker.

This Certbot plugin automates the process of completing a dns-01 by creating (and removing) TXT records using the Joker TXT record API.

Configuring Joker

For each of your domains hosted using the Joker DNS server that would would like to obtain certificates for you must enable Dynamic DNS for the domain in the Joker web console. Do this by visiting your Joker Dashboard, clicking the "DNS" action for the domain you want to enable Dynamic DNS for, then ensuring that the "Dynamic DNS active" slider is turned on. A dialog should appear with the DynDNS username and password for that domain. These will be used in the credentials file described below.

Installation

pip install certbot-dns-joker

Certbot Arguments

To use Joker DNS authentication, pass the following arguments on certbot's command line:

Option Description
--authenticator dns-joker Select the Joker authenticator plugin. (required)
--dns-joker-credentials _credentialsfile Full path to config file containing domain credentials.
--dns-joker-propagation-seconds delay Delay between setting DNS TXT record and asking the ACME server to verify it. Default: 120

If you don't supply the credentials file on the certbot command line you will be prompted for its location.

Credentials

You need to create a configuration file on your system (for example /etc/letsencrypt/secrets/DOMAIN.ini) that contains the per-domain secrets that you obtained when you enabled DynDNS for your domain.

dns_joker_username = USERNAME
dns_joker_password = PASSWORD
dns_joker_domain = DOMAIN

Example

certbot certonly \
  --authenticator dns-joker \
  --dns-joker-credentials /etc/letsencrypt/secrets/example.com.ini \
  -d example.com -d '*.example.com'

Alternate Deployment Methods

PyPI

This project has a PyPI page at https://pypi.org/project/certbot-dns-joker/.

RPM

I have built an RPM for CentOS 8, which is the platform I use. The Makefile has an rpm target that builds the RPM, but this has only been tested on CentOS 8. In addition, the GitHub release contains an SRPM from which is should be possible to build a new RPM on other RPM-based Linux distributions, but again I have not tested this.

Docker

The Makefile has a docker-image target to create a certbot docker image with the certbot-dns-joker plugin installed. In addition if you set the DOCKER_OTHER_PLUGINS makefile variable to a (space-separated) list of plugins those plugins will also be installed.

Once the docker image is built you can run it with a command such as the following.

docker run --rm \
  -v /var/lib/letsencrypt:/var/lib/letsencrypt \
  -v /etc/letsencrypt:/etc/letsencrypt \
  -v /var/log/letsencrypt:/var/log/letsencrypt \
  --cap-drop=all \
  certbot-joker \
  certonly \
  --authenticator dns-joker \
  --dns-joker-propagation-seconds 900 \
  --dns-joker-credentials /etc/letsencrypt/secrets/example.com.ini \
  --no-self-upgrade \
  --keep-until-expiring --non-interactive --expand \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d example.com -d '*.example.com'

Then you can run a command such as the following from cron to renew your certificates.

docker run --rm \
  -v /var/lib/letsencrypt:/var/lib/letsencrypt \
  -v /etc/letsencrypt:/etc/letsencrypt \
  -v /var/log/letsencrypt:/var/log/letsencrypt \
  --cap-drop=all \
  certbot-joker \
  renew

Note that plugins that attempt to do operations outside of the container (such as the apache plugin, which wants to run apachectl) will fail.

Upgrading from 1.2.0

If you have existing conf files in /etc/letsencrypt/renewal, you will need to edit them to remove certbot-dns-joker: from the authenticator and credentials lines.

perl -p -i.bak -e 's/certbot-dns-joker://;' /etc/letsencrypt/renewal/*.conf

Acknowledgments

This plugin is based in large part on Matthias Bilger's certbot-dns-ispconfig plugin and the certbot-dns-dnsimple plugin.