Set DNS Challenge Variables as part of the account item

remilapeyre / vault-acme

Mozilla Public License 2.0

93 stars 23 forks source link

Set DNS Challenge Variables as part of the account item #19

Closed hongkongkiwi closed 4 years ago

hongkongkiwi commented 4 years ago

I would like to set the LetEncrypt DNS challenge variables in the account, rather than environment variables. e.g.

vault write acme/accounts/lenstra \
    contact=remi@lenstra.fr \
    server_url=https://acme-staging-v02.api.letsencrypt.org/directory \
    terms_of_service_agreed=true \
    provider=digitalocean \
        provider_opts={ "DO_AUTH_TOKEN" = "abc123" }

This would allow me to setup multiple LE accounts with different versions of providers (e.g. 2xCloudFlare accounts).

remilapeyre commented 4 years ago

Hi @hongkongkiwi, I started looking into this but it will require changes to the ACME client I am using (https://github.com/go-acme/lego) as it does not expose a convenient way to do this yet.

hongkongkiwi commented 4 years ago

What about if the Vault plugin simply sets the appropriate environment variable itself before running lego?

remilapeyre commented 4 years ago

What about if the Vault plugin simply sets the appropriate environment variable itself before running lego?

I would like to avoid this because it would require to take a lock every time we request a certificate with this type of DNS provider which could be cumbersome and slow things down. I added a map to look the value into before looking in the environment variables.