Add Lets Encrypt + CloudFlare addon

[kiall]

Add a Lets Encrypt + CloudFlare addon.

This addon is heavily based on the DuckDNS addon (It's essentially a copy+paste!), and will issue Lets Encrypt TLS certificates using a DNS-01 challenge setup with CloudFlare's DNS service.

[homeassistant]

Hi @kiall,

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[pvizeli]

That is needed?

[balloob]

We should not add this to the official repository.

We should just offer DuckDNS. More options for users can be given via people hosting their own add-ons. It's already difficult enough for users to understand how to get encryption going.

[Apocrathia]

@balloob Can we meet in the middle and add the DNS verification support to the existing Let's Encrypt addon? There are a lot of us who are using CloudFlare for DNS.

@pvizeli You're authored the majority of the Let's Encrypt addon, and I see that you've been using certbot for it. Could we add CloudFlare support to it? It looks like the config.json just needs a variable for the verification method and the optional fields required by DNS verification. The CloudFlare plugin is built into certbot now.

[Apocrathia]

@pvizeli I have made a couple of minor tweaks to the existing Let's Encrypt addon. I will need to flesh out the functionality, but if this looks okay, we may be able to kill two birds with one stone by adding DNS-01 challenge support, as well as preventing us from having another addon in the main repository.

[balloob]

I just suggested in #312 to move Let's Encrypt add-on out of the official repository. If there is an add-on that would do dynamic DNS + Let's Encrypt and support multiple providers, that would be something I would like for the official repo.

Just because something is not accepted for the official repository, doesn't mean that you can't use it or share it with others. We've made it very easy to share add-ons: https://developers.home-assistant.io/docs/en/hassio_addon_repository.html

[Apocrathia]

I would honestly say that dynamic DNS and SSL certificate generation are two separate functions, and having the DuckDNS addon do both is even more confusing. In addition, I would argue that DNS-o-Matic provides far more functionality than just DuckDNS, if dynamic DNS is the end goal. I agree with your comment in #312 that we should have some sort of an "advanced" addon repo.

[balloob]

Combining Let's Encrypt with a dynamic DNS provider using the DNS challenge makes generating certificates possible without requiring users to open ports on their router, making the process significant easier and more secure.

[Apocrathia]

I definitely agree with using the DNS challenge for certificates. Making users open ports just adds too many complications. The only issue with DuckDNS is that everyone would have to use DuckDNS as their DNS provider. Which is a major pain for anyone who already has DNS setup elsewhere. DNS-O-Matic just provides an agnostic approach to updating dynamic DNS records (besides just using basic RFC2136 DDNS). I still agree with your comment in #312 that the repo should be split. Providing an all-in-one solution for users in the main repository will most likely work for the majority of users. However, the duplication of Let's Encrypt functionality does cause some confusion.