Skip to main content

ClouDNS DNS Authenticator plugin for Certbot

Project description

The certbot-dns-clounds plugin automates the process of completing a dns-01 challenge (acme.challenges.DNS01) by creating, and subsequently removing, TXT records using the ClouDNS API.

Named Arguments

--dns-cloudns-credentials

ClouDNS credentials INI file. (Required)

--dns-cloudns-propagation-seconds

The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record. (Default: 60)

--dns-cloudns-nameserver

Nameserver used to resolve CNAME aliases. (See the Challenge Delegation section below.) (Default: System default)

Credentials

Use of this plugin requires a configuration file containing the ClouDNS API credentials.

# Target user ID (see https://www.cloudns.net/api-settings/)
dns_cloudns_auth_id=1234
# Alternatively, one of the following two options can be set:
# dns_cloudns_sub_auth_id=1234
# dns_cloudns_sub_auth_user=foobar

# API password
dns_cloudns_auth_password=password1

The path to this file can be provided interactively or using the --dns-cloudns-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file’s contents.

Certbot will emit a warning if it detects that the credentials file can be accessed by other users on your system. The warning reads “Unsafe permissions on credentials configuration file”, followed by the path to the credentials file. This warning will be emitted each time Certbot uses the credentials file, including for renewal, and cannot be silenced except by addressing the issue (e.g., by using a command like chmod 600 to restrict access to the file).

Challenge Delegation

The dns-cloudns plugin supports delegation of dns-01 challenges to other DNS zones through the use of CNAME records.

As stated in the Let’s Encrypt documentation:

Since Let’s Encrypt follows the DNS standards when looking up TXT records for DNS-01 validation, you can use CNAME records or NS records to delegate answering the challenge to other DNS zones. This can be used to delegate the _acme-challenge subdomain to a validation-specific server or zone. It can also be used if your DNS provider is slow to update, and you want to delegate to a quicker-updating server.

This allows the credentials provided to certbot to be limited to either a sub-zone of the verified domain, or even a completely separate throw-away domain. This idea is further discussed in this article by the Electronic Frontier Foundation.

To resolve CNAME aliases properly, Certbot needs to be able to access a public DNS server. In some setups, especially corporate networks, the challenged domain might be resolved by a local server instead, hiding configured CNAME and TXT records from Certbot. In these cases setting the --dns-cloudns-nameserver option to any public nameserver (e.g. 1.1.1.1) should resolve the issue.

Installation

Install the plugin using pip:

pip install certbot-dns-cloudns

Examples

certbot certonly \
  --authenticator dns-cloudns \
  --dns-cloudns-credentials ~/.secrets/certbot/cloudns.ini \
  -d example.com
certbot certonly \
  --authenticator dns-cloudns \
  --dns-cloudns-credentials ~/.secrets/certbot/cloudns.ini \
  -d example.com \
  -d www.example.com
certbot certonly \
  --authenticator dns-cloudns \
  --dns-cloudns-credentials ~/.secrets/certbot/cloudns.ini \
  --dns-cloudns-propagation-seconds 30 \
  -d example.com

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certbot_dns_cloudns-0.7.0.tar.gz (9.8 kB view details)

Uploaded Source

Built Distribution

certbot_dns_cloudns-0.7.0-py3-none-any.whl (12.3 kB view details)

Uploaded Python 3

File details

Details for the file certbot_dns_cloudns-0.7.0.tar.gz.

File metadata

  • Download URL: certbot_dns_cloudns-0.7.0.tar.gz
  • Upload date:
  • Size: 9.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.12.4 Darwin/23.5.0

File hashes

Hashes for certbot_dns_cloudns-0.7.0.tar.gz
Algorithm Hash digest
SHA256 41f27d345c3e4e7d211f2b376d23e50e8f9f54e592ba3832d769a6f7a00642cc
MD5 fb623257df1e862e849cad7005327fc3
BLAKE2b-256 7ff792c79f7b668dbfc3366e98d9e1d9c2d57c9db11c72fd362ef5c19276ebbf

See more details on using hashes here.

File details

Details for the file certbot_dns_cloudns-0.7.0-py3-none-any.whl.

File metadata

File hashes

Hashes for certbot_dns_cloudns-0.7.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7a5f45c744b8db543caafa879b753786e1c5dfabdf956d9566964e056c231b3a
MD5 a13da3b68a4973d99f02dfd4483824f1
BLAKE2b-256 4e43d39dd4b68d4bdf7657bf56ed4ab7f385a67f0e84c829844d638267d179ad

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page