Certbot DNS TransIP :closed_lock_with_key:

Looking for a way to get a Let's Encrypt (wildcard) certificate for the domain(s) that you registered with TransIP?

This script automates the process of completing a DNS-01 challenge for domains using the TransIP DNS service. The auth script is invoked by Certbot's --manual-auth-hook, which then creates the required challenge record using the TransIP API. After validation the --manual-cleanup-hook is invoked and the challenge record is removed again.

Requirements

• A TransIP account with API access enabled
• Docker or:
  • Certbot
  • Composer
  • PHP >= 7.3 with JSON and OpenSSL extensions enabled

Usage

This describes how to use the script via Docker. If you want to use the script on a system with Certbot & PHP installed follow these instructions.

• Create a .env file with the following content:

  TRANSIP_LOGIN=YOUR-LOGIN
  TRANSIP_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----XXXXX-----END PRIVATE KEY-----"

• Make sure your entire private key is on a single line (removing all newlines/spaces) and between double quotes
• Run:

  docker run -it --rm \
  --env-file /path/to/.env \
  -v "/etc/letsencrypt:/etc/letsencrypt" \
  -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
  fransik/certbot-dns-transip

After validation succeeds (this can take up to 10 minutes) you can find the certificate here: /etc/letsencrypt/live.

Certificate renewal

Make sure the following command runs daily (via cron for example):

docker run --rm \
    --env-file /path/to/.env \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
    fransik/certbot-dns-transip renew

Test certificate

To request a test certificate run:

docker run -it --rm \
    --env-file /path/to/.env \
    -v "/etc/letsencrypt:/etc/letsencrypt" \
    -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
    fransik/certbot-dns-transip certonly \
    --test-cert \
    --preferred-challenges=dns \
    --manual \
    --manual-auth-hook bin/auth \
    --manual-cleanup-hook bin/cleanup

Manual installation

• Clone this repository
• Run composer install --no-dev
• Rename config.php.dist to config.php
• Update config.php with your TransIP login name and private key
• Run:

  certbot certonly \
  --preferred-challenges=dns \
  --manual \
  --manual-auth-hook /path/to/certbot-dns-transip/bin/auth \
  --manual-cleanup-hook /path/to/certbot-dns-transip/bin/cleanup \
  -d example.com -d "*.example.com"

After validation succeeds (this can take up to 10 minutes) you can find the certificate here: /etc/letsencrypt/live.

Certificate renewal

Should be automatic on most systems that have the certbot package installed. See certbot docs.

Test certificate

To request a test certificate run:

certbot certonly \
    --test-cert \
    --preferred-challenges=dns \
    --manual \
    --manual-auth-hook /path/to/certbot-dns-transip/bin/auth \
    --manual-cleanup-hook /path/to/certbot-dns-transip/bin/cleanup \
    -d example.com -d "*.example.com"