search

obynio / certbot-plugin-gandi

Certbot plugin for authentication using Gandi LiveDNS
https://pypi.org/project/certbot-plugin-gandi/
MIT License
194 stars 27 forks source link

Support for certbot snap installation mode #22

Closed RolandVExp closed 1 year ago

RolandVExp commented 3 years ago

Hello, first, thanks a lot for your plugin. I've been using it for a long time along with a cetbot-auto installation. This kind of installation is unfortunately not anymore available for my OS (Debian).

So I have to switch to the officially supported "snap" installation mode described here

The problem is I don't know how to install your plugin with this mode. pip install certbot-plugin-gandi does work but is no detected by the snap installation

Can you please help me ? Thanks !

RolandVExp commented 3 years ago

Maybe, the plugin has to be updated with those instructions : Writing your own plugin snap

kalemontes commented 3 years ago

Hi @RolandVExp, I also needed this feature so I build my own snap using the instructions given in https://github.com/certbot/certbot/tree/master/tools/snap.

I had to tweak it a bit to adapt it to this plugin and also I had to made some changes to the setup.py that's why am pulling from my fork. I'll share what I change from the original post :

Building Certbot Snap : Gandi plugin

Local Testing and Development

These instructions are recommended when testing anything about the snap setup for ease of debugging. The architecture of the built snap is limited to the architecture of the system it is built on.

Initial VM Set Up

These steps need to be done once to set up your VM and do not need to be run again to rebuild the snap.

  1. Start with a Focal VM. You need a full virtual machine using something like DigitalOcean, EC2, or VirtualBox. Docker won't work. Another version of Ubuntu can probably be used, but Focal was used when writing these instructions.
  2. Set up a user other than root with sudo privileges for use with snapcraft and run all of the following commands with it. A command to do this for a user named certbot looks like adduser certbot && usermod -aG sudo certbot && su - certbot.
  3. Install git and python with sudo apt update && sudo apt install -y git python.
  4. Set up lxd for use with snapcraft by running sudo snap install lxd && sudo /snap/bin/lxd.migrate -yes; sudo /snap/bin/lxd waitready && sudo /snap/bin/lxd init --auto (errors here are ok; it may already have been installed on your system).
  5. Add your current user to the lxd group and update your shell to have the new assignment by running sudo usermod -a -G lxd ${USER} && newgrp lxd.
  6. Install snapcraft with sudo snap install --classic snapcraft.
  7. cd ~ (or any other directory where you want our source files to be)
  8. Run git clone git://github.com/certbot/certbot
  9. cd certbot (All further instructions are relative to this directory.)

Certbot Snap

Reset the Environmentstrike

If the snap has been built before, the instructions below clean up the build environment so it can reliably be used again.

  1. snapcraft clean --use-lxd
  2. [Optional] mv certbot_*_amd64.snap certbot_amd64.snap.bak

Build the Certbot Snap

These are the steps to build and install the Certbot snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running snapcraft again will overwrite the previous snap).

  1. Run snapcraft --use-lxd.
  2. Install the generated snap with sudo snap install --dangerous --classic certbot_*_amd64.snap. You can transfer the snap to a different machine to run it there instead if you prefer.

Run

Run Certbot as normal. For example, certbot plugins should display the Apache and Nginx plugins.

Certbot Plugin Snaps

These instructions use the certbot-dns-gandi plugin as an example, but all of Certbot's other plugin snaps can be built in the same way.

Reset the Environment

If the plugin snap has been built before, the instructions below clean up the build environment so it can reliably be used again.

  1. git clone git://github.com/kalemontes/certbot-plugin-gandi
  2. [Optional] mv certbot-plugin-gandi/ certbot-dns-gandi
  3. cd certbot-dns-gandi
  4. snapcraft clean --use-lxd
  5. [Optional] mv certbot-dns-gandi_*_amd64.snap certbot-dns-gandi_amd64.snap.bak
  6. cd ..

Build a Certbot Plugin Snap

These are the steps to build and install the Certbot Gandi plugin snap. If you have run these steps before, you may want to run the commands in the section above to clean things up or save a previous build before building the snap again (running snapcraft again will overwrite the previous snap).

  1. Run tools/snap/generate_dnsplugins_all.sh to generate all necessary files for all plugin snaps.
  2. cd certbot-dns-gandi
  3. snapcraft --use-lxd
  4. Run sudo snap set certbot trust-plugin-with-root=ok.
  5. Install the generated snap with sudo snap install --dangerous certbot-dns-gandi_*_amd64.snap (for me it was sudo snap install --dangerous certbot-dns-gandi_1.2.5_amd64.snap). Again, you can transfer the snap to a different machine to run it there instead if you prefer.
  6. Connect the plugin with sudo snap connect certbot:plugin certbot-dns-gandi.
  7. Connect the plugin metadata with sudo snap connect certbot-dns-gandi:certbot-metadata certbot:certbot-metadata. Install the plugin again to test refresh; if the plugin's hook creates any logs, they are at /var/snap/certbot-dns-gandi/current/debuglog.

Run

Run Certbot as normal. For example, certbot plugins should display the Gandy plugin as installed.

So certbot plugins | grep dns-gandi displays

certbot@vagrant:~/certbot/certbot-dns-gandi$ certbot plugins | grep dns-gandi
* dns-gandi
Entry point: dns-gandi = certbot_plugin_gandi.main:Authenticator

I had to add the option -a dns-gandi in order to “specify a combination of distinct authenticator and installer plugins” (using --dns-gandi didn’t work for me), so certbot certonly --noninteractive --agree-tos -a dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --email mail@mailexample.com -d *.mydomain.com displays

certbot@vagrant:~/certbot/certbot-dns-gandi$ certbot certonly --noninteractive --agree-tos -a dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini --email mail@mailexample.com -d *.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-gandi, Installer None
Requesting a certificate for *.mydomain.com
Performing the following challenges:
dns-01 challenge for mydomain.com
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.com/privkey.pem
   Your cert will expire on 2021-03-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Info : change --email mail@mailexample.com -d *.mydomain.com with your own.

It would be great if the snap was provided out of the box, but I don't know how to publish, and I would leave this task to @obynio.

obynio commented 3 years ago

Hello guys, sorry for not responding 🙏 I'm not a big fan of the snap package system but I'll try to dedicate a bit of time to build this snap.

Thanks for providing detailed instructions @kalemontes that will be very helpful 👍

padawan commented 3 years ago

Thanks a lot @kalemontes for these instructions !

@obynio you might want include a warning in the README that using your instructions will install certbot via pip (e.g. in /usr/local/bin/certbot) and this will conflict with the snap version of certbot (which is now the preferred version and requires that you delete all other versions). This can lead to confusing setups with different plugins for each version (e.g. I ended up with a local version of certbot with the certbot-dns-gandi plugin but no Apache installer, alongside the snap version of certbot having all the standard plugins but not the certbot-dns-gandi plugin).

GiantFrog commented 3 years ago

Ah, this makes sense! I'm still getting unrecognized arguments: --dns-gandi-credentials. Would love snap support, but my certificate expires in several hours, so I'll try to get it together with pip for now.

Remember: always save chores til the last minute so when APIs change and scripts stop working you can feel alive again.

felag commented 9 months ago

@obynio Is it me or this plugin cannot be installed with snapd ? Is it possible to re-open this issue ?

Regards

obynio commented 9 months ago

It cannot for now. I haven't been working on it yet.