letsencrypt.sh-ovh icon indicating copy to clipboard operation
letsencrypt.sh-ovh copied to clipboard

Published 20 hours ago verified publisher icon antoiner77

restore a minimal API token init script according to public articles

Open koolfy opened this issue 7 years ago • 4 comments

Yo, this is the fastest PR of my entire life, so please test it properly before merging it anywhere.

It should make your blogpost ( https://ungeek.fr/letsencrypt-api-ovh/ ) and its derivatives ( http://matthieukeller.com/2016/12/lets-encrypt-certificate-for-offline-servers-with-ovh-dns.html ) correct again, so that people do not need to go through the documentations and examples as I had to :)

It was not the end of the world, but it's better if other people after me don't need to understand all the logic, and can just reuse the python script ;)

I updated the README.md too, as you will read the script defaults to requesting RW on /domain which is probably excessive, but would work 100% of the time for newbies. An argument could be fed to the script to limit it further.

I'll probably study closer what exact permissions are needed for certbot operations, so I can improve the script to anly request the exact correct operations on a specified domain name.

I am aware that this breaks the --init part of your documentation, but I think it's for the better.

Again, sorry to rush this, I'm running against the clock to meet a deadline, and wanted to do this PR before I had the chance to forget :D

Thanks for saving my ass with this tool <3

koolfy avatar Jul 06 '17 18:07 koolfy

Yeah... I'm probably going to squash all these commits I had to make because I went too fast...

koolfy avatar Jul 06 '17 19:07 koolfy

I ended up increasing the sleep time in the auth-hook because OVH didn't let me set a TTL lower than 60s and I realized my certbot challenges were failing due to 5s not being enough for the record update to be applied.

I set 120s and explained this issue in the readme.

This branch is now functionnal, and would only require some minor edits to your blog post. You could update it with removing the --init param and mentionning the new parameter used to restrain API token access to /domain/zone/_acme-challenge.example.com etc

I'll still probably improve this branch by only asking for specific operations on this domain if specified, as a total recursive grand is probably excessive (but harmless if at least /domain/zone/_acme-challenge.example.com is specified)

sorry for all the noise :(

koolfy avatar Jul 06 '17 20:07 koolfy

Mh, did some further testing, and I discovered that granting recursive permissions on /domain/zone/_acme-challenge.example.com does not work.

This means my README.md is incorrect :) I'll find the proper way to restrict permission granting over this weekend.

PLEASE CONSIDER THIS BRANCH AS TRASH UNTIL I FIX THIS AND SQUASH ALL THESE UGLY COMMITS :(

koolfy avatar Jul 06 '17 20:07 koolfy

Hi, Thanks and good luck with the fix :)

antoinerrr avatar Jul 07 '17 11:07 antoinerrr