Standalone DNS Authenticator plugin for Certbot
Project description
Standalone DNS Authenticator plugin for Certbot
This is a plugin that uses an integrated DNS server to respond to the _acme-challenge records. Simultaneous challenges are supported.
A subdomain needs to be created that defines certbot as its nameserver, e.g. for acme.example.com:
acme IN NS ns-acme.example.com. ns-acme IN A 1.2.3.4
where 1.2.3.4 is the IP of the server where certbot will be run. This configuration directs any requests to *.acme.example.com to 1.2.3.4 where the plugin will respond with the relevant challenge.
Any server can be used as long as port 53 is available which means that a DNS server cannot be run at that particular IP at the same time.
The plugin binds to all available interfaces. The validation usually takes less than a second.
Next, _acme-challenge for the domain that the certificate is requested for must be configured as a CNAME record to domain.acme.example.com, e.g. for example.net:
_acme-challenge IN CNAME example.net.acme.example.com.
This means that any requests to _acme-challenge.example.net should be performed to example.net.acme.example.com instead which is where our certbot runs. No further changes to the DNS of example.net are necessary.
Installation
# pip3 install certbot certbot-dns-standalone
Usage
Just run certbot certonly and use the certbot-dns-standalone:dns-standalone plugin:
# certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Obtain certificates using an integrated DNS server (certbot-dns-standalone:dns-standalone) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1 Plugins selected: Authenticator certbot-dns-standalone:dns-standalone, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): *.example.net
Non-interactive usage:
certbot --non-interactive --agree-tos --email certmaster@example.com certonly \ --preferred-challenges dns --authenticator certbot-dns-standalone:dns-standalone \ --certbot-dns-standalone:dns-standalone-address=0.0.0.0 \ --certbot-dns-standalone:dns-standalone-ipv6-address=:: \ --certbot-dns-standalone:dns-standalone-port=53 \ -d example.com
To renew the certificates add certbot renew to crontab.
Parameters supported
Parameters can be specified as --certbot-dns-standalone:dns-standalone-PARAMETER=VALUE.
Supported parameters are:
address – IPv4 address to bind to, defaults to 0.0.0.0
ipv6-address – IPv6 address to bind to, defaults to ::
port – port to use, defaults to 53
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for certbot-dns-standalone-1.0.3.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 79d1f55222f8c848b7e8981bce9e144b35b2f642e3715e07746904945b313ebf |
|
| MD5 | 3db5f1d1649b65051e4a36f5a80c0df0 |
|
| BLAKE2-256 | e1d9f237b588e137c95e288373c8e9010bfa60b16239831a0108b18470bd55b2 |
Hashes for certbot_dns_standalone-1.0.3-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 88c7814ac582305aeafbb0d89b532b43c73d3b5c33fde22537408675dbcb0a47 |
|
| MD5 | 70c87a94972ad93199fe0b429e377db5 |
|
| BLAKE2-256 | 8159cf97f078edba65ec654188da8e38004cbe88361b35b007f76dcf7a94c96d |