Skip to main content

Standalone DNS Authenticator plugin for Certbot

Project description

Standalone DNS Authenticator plugin for Certbot

This is a plugin that uses an integrated DNS server to respond to the _acme-challenge records. Simultaneous challenges are supported.

A subdomain needs to be created that defines certbot as its nameserver, e.g. for acme.example.com:

acme     IN  NS  ns-acme.example.com.
ns-acme  IN  A   1.2.3.4

where 1.2.3.4 is the IP of the server where certbot will be run. This configuration directs any requests to *.acme.example.com to 1.2.3.4 where the plugin will respond with the relevant challenge.

Any server can be used as long as port 53 is available which means that a DNS server cannot be run at that particular IP at the same time.

The plugin binds to all available interfaces. The validation usually takes less than a second.

Next, _acme-challenge for the domain that the certificate is requested for must be configured as a CNAME record to domain.acme.example.com, e.g. for example.net:

_acme-challenge  IN  CNAME  example.net.acme.example.com.

This means that any requests to _acme-challenge.example.net should be performed to example.net.acme.example.com instead which is where our certbot runs. No further changes to the DNS of example.net are necessary.

Installation

# pip3 install certbot certbot-dns-standalone

Usage

Just run certbot certonly and use the certbot-dns-standalone:dns-standalone plugin:

# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using an integrated DNS server
(certbot-dns-standalone:dns-standalone)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator certbot-dns-standalone:dns-standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): *.example.net

Non-interactive usage:

certbot --non-interactive --agree-tos --email certmaster@example.com certonly \
  --preferred-challenges dns --authenticator certbot-dns-standalone:dns-standalone \
  --certbot-dns-standalone:dns-standalone-address=0.0.0.0 \
  --certbot-dns-standalone:dns-standalone-ipv6-address=:: \
  --certbot-dns-standalone:dns-standalone-port=53 \
  -d example.com

To renew the certificates add certbot renew to crontab.

Parameters supported

Parameters can be specified as --certbot-dns-standalone:dns-standalone-PARAMETER=VALUE.

Supported parameters are:

  • address – IPv4 address to bind to, defaults to 0.0.0.0
  • ipv6-address – IPv6 address to bind to, defaults to ::
  • port – port to use, defaults to 53

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for certbot-dns-standalone, version 1.0.3
Filename, size File type Python version Upload date Hashes
Filename, size certbot_dns_standalone-1.0.3-py2.py3-none-any.whl (10.1 kB) File type Wheel Python version py2.py3 Upload date Hashes View
Filename, size certbot-dns-standalone-1.0.3.tar.gz (12.3 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page