Skip to main content

Infoblox DNS Authenticator plugin for Certbot

Project description

certbot-dns-infoblox

Infoblox DNS Authenticator plugin for Certbot

This plugin automates the process of completing a dns-01 challenge by creating, and subsequently removing, TXT records using the Infoblox Remote API.

In order to get a certificate from Let’s Encrypt, you have to demonstrate control over the domain name. Usually, this is done using HTTP where you upload a specific file to your website. Using DNS / Infoblox as a backend, you are no longer required to run a webserver, and can furthermore prove ownership of domain names only accessible internally, and even of wildcard DNS names as, e.g., *.example.com.

Note that all certificates issued by Certificate Authorities as, e.g., Let's Encrypt are added to a distributed database called the certificate transparency logs (searchable at e.g. crt.sh). In particular when issuing internal certificates, you should be careful about revealing names of internal servers, etc.

Installation

From PyPI (all platforms):

pip install certbot-dns-infoblox

Ubuntu .deb package:

Pre-built .deb packages for Ubuntu 22.04 (Jammy) and 24.04 (Noble) are attached to each GitHub Release.

# Download the .deb for your Ubuntu release from the Releases page, then
# run the following to install the .deb and all dependencies:
sudo apt install -f ./python3-certbot-dns-infoblox_*.deb

Named Arguments

To start using DNS authentication for Infoblox, pass the following arguments on certbot's command line:

Argument Description
--authenticator dns-infoblox Select the authenticator plugin (Required)
--dns-infoblox-credentials Path to Infoblox credentials INI file (Default: /etc/letsencrypt/infoblox.ini)
--dns-infoblox-propagation-seconds Waiting time for DNS to propagate before asking the ACME server to verify the DNS record. (Default: 60)

Credentials

Create an INI file (default location /etc/letsencrypt/infoblox.ini):

#
# Infoblox credentials - keep this file private (chmod 600)
#
dns_infoblox_hostname = infoblox.example.net
dns_infoblox_username = my-wapi-user
dns_infoblox_password = 5f4dcc3b5aa765d61d8327deb882cf99

# Optional: Infoblox DNS view (omit this if not required)
# dns_infoblox_view = ""

# Optional: set to false to disable SSL verification (default: true).
# WARNING: disabling TLS verification exposes you to MITM attacks.
# dns_infoblox_ssl_verify = true

# Optional: path to a custom CA bundle (file or directory) for SSL
# verification.
# dns_infoblox_ca_bundle = "/path/to/ca-bundle.crt"

Restrict access to the file:

chmod 600 /etc/letsencrypt/infoblox.ini

The path to this file can be provided interactively or using the --dns-infoblox-credentials command-line argument. Certbot records the path to this file for use during renewal, but does not store the file's contents.

CAUTION: Protect these credentials as you would any password. Users who can read this file can issue arbitrary WAPI calls on your behalf. Certbot will warn you with "Unsafe permissions on credentials configuration file" if the file is readable by other users.

SSL verification

By default the plugin verifies the Infoblox WAPI server's TLS certificate against the system trust store. If your Infoblox uses a certificate signed by an internal or private CA, point dns_infoblox_ca_bundle at the CA bundle file or directory (PEM format):

dns_infoblox_ca_bundle = /etc/ssl/certs/my-internal-ca.pem

To disable certificate verification entirely (not recommended for production), set dns_infoblox_ssl_verify to false:

# WARNING: disabling TLS verification exposes you to MITM attacks.
dns_infoblox_ssl_verify = false

Examples

Acquire a certificate for example.com and *.example.com, waiting 10 seconds for DNS propagation:

certbot certonly \
  --authenticator dns-infoblox \
  --dns-infoblox-credentials /etc/letsencrypt/infoblox.ini \
  --dns-infoblox-propagation-seconds 10 \
  -d 'example.com' \
  -d '*.example.com'

Renew all certificates non-interactively (e.g. cron job or systemd timer):

certbot renew --quiet

Notes

This plugin communicates with the Infoblox WAPI REST API directly using requests, with no dependency on the infoblox-client package.

Inspired by certbot-dns-ispconfig.

Developing / Contributing

See CONTRIBUTING.md for instructions on setting up a development environment, running the test suite, building .deb packages, and the CI/CD release workflow.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certbot_dns_infoblox-0.4.0.tar.gz (18.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

certbot_dns_infoblox-0.4.0-py3-none-any.whl (11.8 kB view details)

Uploaded Python 3

File details

Details for the file certbot_dns_infoblox-0.4.0.tar.gz.

File metadata

  • Download URL: certbot_dns_infoblox-0.4.0.tar.gz
  • Upload date:
  • Size: 18.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for certbot_dns_infoblox-0.4.0.tar.gz
Algorithm Hash digest
SHA256 12a94ae7f22271fcd2c42790a0fb2dd246570a3ffe76efc15e169019d9505e16
MD5 fdb6dff037ed759e9c537873fa1d1ad4
BLAKE2b-256 d3c323c928b206b3e252d1df86d9b2fafaabc4cbb0cf3f65f91e8d388ce57a06

See more details on using hashes here.

Provenance

The following attestation bundles were made for certbot_dns_infoblox-0.4.0.tar.gz:

Publisher: publish-pypi.yml on svalgaard/certbot-dns-infoblox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file certbot_dns_infoblox-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for certbot_dns_infoblox-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8ad66ae61d813abd0a80c1bf3e0e80423e90030658797b92cc912f46074cc4d4
MD5 15f86080fd351a6c27f6731dfba7dfbc
BLAKE2b-256 2242cc9b1d578041fa20f16ce6e057268c89d05587ebbb794e4fe097051ab00d

See more details on using hashes here.

Provenance

The following attestation bundles were made for certbot_dns_infoblox-0.4.0-py3-none-any.whl:

Publisher: publish-pypi.yml on svalgaard/certbot-dns-infoblox

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page