certbot icon indicating copy to clipboard operation
certbot copied to clipboard
verified publisher icon certbot

basic manual-auth-hook (like for usage with 'named')

Open mrAceT opened this issue 1 year ago • 2 comments

I have recently started to use a wildcard certificate and I managed to activate/install it manually.

At first I assumed it would renew automatically just as my other letsencrypt/certbot domains, but I was wrong.

I maintain my own nameserver, that runs via 'named'. I have made some preliminair attempts creating my own 'manual-auth-hook', but I am nowhere near anything that remotely looks like something that is going to work :-(

Would it be possible to add/create a rudimentary 'manual-auth-hook' that has the configurable options:

  • (wildcard) domain
  • call to external program (something like: "handler.php [domain] [challenge]" (where [domain] is the domain above and [challenge] is the DNS-value I needed to add manually
  • delay (in seconds, the time to wait for the external program to actually have added the '_acme-challenge value')

This would be ideal for custom/manual DNS setups

mrAceT avatar Jul 09 '24 08:07 mrAceT

If with named you mean, BIND, then it's probably a way better idea to use the certbot-dns-rfc2136 plugin.

If named is a different kind of DNS server not supporting RFC 2136 at all, then you would indeed need something else. However, I don't think opening an issue on this repository is the correct method for getting help with that, as it's not a Certbot issue directly. Certbot offers the --manual-auth-hook interface, but I'm preeeetty sure the Certbot development team does not want to support any script that is used as a value for that hook. Also note that Certbot does not provide example scripts for those hooks.

osirisinferi avatar Jul 09 '24 14:07 osirisinferi

The scripts here can be used to automate certificate renewal with named using nsupdate and they overcome several limitations of the certbot-dns-rfc2136 plugin such as https://github.com/certbot/certbot/issues/6566 and https://github.com/certbot/certbot/issues/6282.

Use the certbot command-line options: --manual, --preferred-challenges=dns, --manual-auth-hook authenticator.sh and --manual-cleanup-hook cleanup.sh

cmmodtools avatar Aug 22 '24 07:08 cmmodtools

If the solution above is sufficient we can close. But let us know if it doesn't. But @osirisinferi is correct in the assumption that we would not want that type of implementation.

zoracon avatar Jan 30 '25 22:01 zoracon

@zoracon thank you for your reply, somehow I missed the other replies earlier!?

(and thanks to @cmmodtools , I'm going to seriously look into this one and get back to you all)

mrAceT avatar Jan 31 '25 09:01 mrAceT

Assuming this is fine, closing for now. Can re-open if not.

zoracon avatar Jun 24 '25 05:06 zoracon

@zoracon oops, should have followed up, under the motto "better late then never":

I have created my own hook and all is working fine.. excluding one thing.. I have created an other issuw for that: https://github.com/certbot/certbot/issues/10313

So this issue is correctly closed (but I would appreciatehelp with that other new issue..)

mrAceT avatar Jun 25 '25 13:06 mrAceT