Authenticator plugin for certbot
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.idea
certbot_pdns
.gitignore
README.md
certbot-pdns.json
setup.cfg
setup.py

README.md

certbot-pdns

Authenticator plugin for certbot (https://certbot.eff.org/).

Perform a DNS-01 challenge using TXT record in a PowerDNS (https://doc.powerdns.com/md/)

The advantages are:

  • No need to configure your web server to serve challenges
  • Web server not even needed
  • Can generate certificate for internal hosts that are not exposed to the Internet
  • A or CNAME record not even needed. Only the TXT record added by certbot-pdns matters.

Installation

Install or upgrade certbot:

pip2 install -U certbot

Install certbot-pdns:

#Install from pip
pip2 install certbot-pdns
#Install from sources
python2 setup.py install

Check that certbot-pdns:auth is listed when executing certbot --text plugins

Configuration

An example file is provided in /usr/local/etc/letsencrypt/certbot-pdns.json:

{
  "api-key": "change_it",
  "base-url": "http://127.0.0.1:34022/api/v1",
  "axfr-time": 5,
  "http-auth": ["user", "secret_pass"],
  "verify-cert": "False"
}

Configuration file must be placed in /etc/letsencrypt/certbot-pdns.json or be specified with argument certbot-pdns-config.

Configuration keys:

  • api-key: Your PowerDNS API Key as specified in property api-key in file /etc/powerdns/pdns.conf
  • base-url: The base URL for PowerDNS API. Require api=yes and api-readonly=no in file /etc/powerdns/pdns.conf
  • axfr-time: The time in seconds to wait for AXFR in slaves. Can be set to 0 if there is only one authoritative server for the zone.

The following two keys are optional and added in case a (nginx) reverse proxy is used to secure access to the api:

  • http-auth (optional): A list of two strings containing the Username and Password for a http-basic-authentication
  • verify-cert (optional): defines whether the SSL-certificate provided by the reverse proxy shall be verified. Possible options are True/False or a string containing the path to a local certificate which can be used to verify the one provided by the proxy.

Usage

Use certbot as usual but specify --authenticator certbot-pdns:auth:

certbot --agree-tos --text --renew-by-default --authenticator certbot-pdns:auth certonly -d example.com -d www.example.com