Add DNS provider for CPanel and WHM

[ldez]

• [x] add a description to your PR
• [x] have a homogeneous design with the other providers
• [x] add tests (units)
• [x] add tests ("live")
• [x] add a provider descriptor
• [x] generate CLI help, documentation, and readme.

• [x] be able to do: (and put the output of this command to a comment in your PR)

  make build
  rm -rf .lego
  
  CPANEL_USERNAME = "yyyy"
  CPANEL_TOKEN = "xxxx"
  CPANEL_BASE_URL = "https://somecpanel.com:2083" \
  CPANEL_NAMESERVER = "ns1.somecpanel.com:53" \
  ./dist/lego -m your@email.com --dns cpanel -d *.example.com -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run

  Note the wildcard domain is important.

• [x] pass the linter
• [x] do go mod tidy

Ping @ssipos90, @SirexToo can you run the command (with your domain, email, and credentials)?

https://github.com/go-acme/lego/issues/1060#issuecomment-1925763620

Closes #1060

[ssipos90]

I'm no longer on this, can't help.

[seebeen]

This doesn't work on a server which uses DNS clustering.

[ldez]

ok but can you explain what I have to change? (API endpoints, options, etc.)

[seebeen]

ok but can you explain what I have to change? (API endpoints, options, etc.)

There are two contexts:

cPanel - User context

Most cPanel providers disable API access for users.
This means that the code you wrote won't work in 99% of the cases, since cPanel users won't be able to access it. 😞

WHM - Admin context (reseller and root).

This is where the server control logic lies.

You need to split the initiation context as a param - whm for root / resellers - cPanel for endusers.

WHM Calls you need are here: https://api.docs.cpanel.net/openapi/whm/tag/DNS-Zones/

Before doing anything with DNS - serverside related - you need this. https://api.docs.cpanel.net/openapi/whm/operation/has_local_authority/

Check if the local targeted WHM Server is authoritative for the domain in question, and then use calls from the link above to do your thing.

Source: I'm a hosting provider.

P.S. I stumbled into this convo by chance. I'll be happy to sponsor further development of this, if it means it can be integrated into traefik 😊

[ldez]

The cPanel/WHM documentation is not really clear and the API is a bit weird.

If you are able to test it and be able to provide a real API response for the different cases, I can work on that (and your sponsoring will be welcome). This provider will be usable inside Traefik.

[seebeen]

I can Do you one better. I can give you a cPanel server and a WHM api key to test with :)

Contact me via mail (xxxx) - or discord (seebeen)

[pcastelo]

@ldez what do you need to finish it ? , i can help

[ldez]

feel free to test the PR and suggest changes.

[pcastelo]

i have the folling error

## VERIFY IF NS IS CORRECT
 nslookup -querytype=soa mydomian.com.ar mydomian.com.ar | grep 'serial =' | grep -o '[0-9]\+'
202401285

CPANEL_NAMESERVER=mydomian.com.ar:53

./dist/lego -m mydomian@mail.com --dns cpanel -d *.test.mydomian.com.ar -d test.mydomian.com.ar -s https://acme-staging-v02.api.letsencrypt.org/directory run
2024/02/03 03:32:47 [INFO] [*.test.mydomian.com.ar, test.mydomian.com.ar] acme: Obtaining bundled SAN certificate
2024/02/03 03:32:48 [INFO] [*.test.mydomian.com.ar] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1096913368
2024/02/03 03:32:48 [INFO] [test.mydomian.com.ar] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1096913369
2024/02/03 03:32:48 [INFO] [*.test.mydomian.com.ar] acme: use dns-01 solver
2024/02/03 03:32:48 [INFO] [test.mydomian.com.ar] acme: Could not find solver for: tls-alpn-01
2024/02/03 03:32:48 [INFO] [test.mydomian.com.ar] acme: Could not find solver for: http-01
2024/02/03 03:32:48 [INFO] [test.mydomian.com.ar] acme: use dns-01 solver
2024/02/03 03:32:48 [INFO] [*.test.mydomian.com.ar] acme: Preparing to solve DNS-01
2024/02/03 03:32:49 [INFO] [test.mydomian.com.ar] acme: Preparing to solve DNS-01
2024/02/03 03:32:49 [INFO] [*.test.mydomian.com.ar] acme: Cleaning DNS-01 challenge
2024/02/03 03:32:49 [WARN] [*.test.mydomian.com.ar] acme: cleaning up failed: cpanel: could not find SOA for domain "test.mydomian.com.ar" (_acme-challenge.test.mydomian.com.ar.) in mydomian.com.ar:53: SOA not found for _acme-challenge.test.mydomian.com.ar. in mydomian.com.ar:53
2024/02/03 03:32:49 [INFO] [test.mydomian.com.ar] acme: Cleaning DNS-01 challenge
2024/02/03 03:32:49 [WARN] [test.mydomian.com.ar] acme: cleaning up failed: cpanel: could not find SOA for domain "test.mydomian.com.ar" (_acme-challenge.test.mydomian.com.ar.) in mydomian.com.ar:53: SOA not found for _acme-challenge.test.mydomian.com.ar. in mydomian.com.ar:53
2024/02/03 03:32:49 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1096913368
2024/02/03 03:32:50 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1096913369
2024/02/03 03:32:50 Could not obtain certificates:
        error: one or more domains had a problem:
[*.test.mydomian.com.ar] [*.test.mydomian.com.ar] acme: error presenting token: cpanel: could not find SOA for domain "test.mydomian.com.ar" (_acme-challenge.test.mydomian.com.ar.) in mydomian.com.ar:53: SOA not found for _acme-challenge.test.mydomian.com.ar. in mydomian.com.ar:53
[test.mydomian.com.ar] [test.mydomian.com.ar] acme: error presenting token: cpanel: could not find SOA for domain "test.mydomian.com.ar" (_acme-challenge.test.mydomian.com.ar.) in mydomian.com.ar:53: SOA not found for _acme-challenge.test.mydomian.com.ar. in mydomian.com.ar:53

any idea? if help i cant send you old script , that didnt works in lego newer versions , (i think some parameter change ,) if i run manualy it works , perhans have the solution to SOA record

[pcastelo]

@ldez here you have another version for reference

https://pastebin.com/VBTZmzP2

[ldez]

cpanel: could not find SOA for domain "test.mydomian.com.ar" (_acme-challenge.test.mydomian.com.ar.) in mydomian.com.ar:53

This error is related to a SOA call (pure DNS call): lego calls CPANEL_NAMESERVER (mydomian.com.ar:53) to get the zone related to your domain (_acme-challenge.test.mydomian.com.ar.).

The zone is required to fetch zone information (records). https://api.docs.cpanel.net/openapi/cpanel/operation/dns-parse_zone/

Your script doesn't use the same API as the documentation.

My implementation is based on information of this comment: https://github.com/go-acme/lego/issues/1060#issuecomment-1192637202

[pcastelo]

yes i know the other doent use same api , just for get more ideas ,

for the other hand

The zone is required to fetch zone information (records). https://api.docs.cpanel.net/openapi/cpanel/operation/dns-parse_zone/

As far as I understand, I could be wrong, as you tell me, use the CPANEL_NAMESERVER, the latter forces me to put the port ":53" when I run the script, if I don't add it, it gives me an error that I should add it, it could be that the problem That cpanel doesn't need it?

[ldez]

As far as I understand, I could be wrong, as you tell me, use the CPANEL_NAMESERVER, the latter forces me to put the port ":53"

it's a DNS call and not an API call, the port 53 (DNS) should be usable in theory.

---

Based on that:

The cPanel API 2 system is deprecated. We strongly recommend that you use UAPI instead of cPanel API 2.

I don't understand their documentation, I don't know which API to use and where is the real documentation.

[ldez]

The SOA call is required to get the serial number of the zone to be able to use the API.

https://api.docs.cpanel.net/openapi/cpanel/operation/dns-mass_edit_zone/

The current serial number in the DNS zone’s SOA (Start of Authority) record. If this value does not match the zone’s current state, the request fails.

[ldez]

There are 5 APIs:

• cPanel UAPI https://api.docs.cpanel.net/cpanel/introduction/
• WHM API 1 https://api.docs.cpanel.net/whm/introduction/
• WHM API 0 ???
• cPanel API 2 (deprecated)
• cPanel API 1 (deprecated)

I don't know what is the difference between cPanel and WHM and why there are 2 completely different APIs (different path, different response format) for mainly the same things.

• https://api.docs.cpanel.net/openapi/cpanel/tag/DNS/
• https://api.docs.cpanel.net/openapi/whm/tag/DNS-Zones/
• https://api.docs.cpanel.net/openapi/cpanel/operation/has_local_authority/
• https://api.docs.cpanel.net/openapi/whm/operation/has_local_authority/

The comment https://github.com/go-acme/lego/pull/1977#issuecomment-1734292257 seems to explain the difference (user/admin) but it's not clear why there are 2 contexts/APIs.

I can create 2 API clients, it's not a problem, but the usage of those APIs is cryptic.

[ldez]

https://github.com/go-acme/lego/pull/1977#issuecomment-1925443401 https://github.com/go-acme/lego/pull/1977#issuecomment-1925445404

I think you are not using the right nameserver. I think your NS should be something like that ns1.mydomian.com.ar

[pcastelo]

letme try another call and let you know ,

thw whm is the reselle panel it can hand multiple zone from diferent user cpanel is for end user and is limited in zones thant can handle

[pcastelo]

#1977 (comment) #1977 (comment)

I think you are not using the right nameserver. I think your NS should be something like that ns1.mydomian.com.ar

fyi

root@srv419809:~/lego# nslookup -querytype=soa mydomain.com.ar mydomain.com.ar
Server:         mydomain.com.ar
Address:        103.214.108.66#53

mydomain.com.ar
        origin = all1.dnsroundrobin.net
        mail addr = email.ipxcore.com
        serial = 2024020306
        refresh = 3600
        retry = 1800
        expire = 1209600
        minimum = 86400

any idea?

[pcastelo]

any idea? i tested with all1.dnsroundrobin.net too and nothing

[ldez]

can you try this?

drill test.mydomain.com.ar SOA

Can we switch this discussion to the issue #1060?

[ldez]

After several hours of fighting against the API and wrong API documentation, The PR is working :tada:

This PR adds the support for cPanel and WHM :tada:

Huge thanks to @pcastelo :heart:

I would also like to thank @seebeen :+1: