Obtain certificates using a DNS TXT record for DuckDNS domains
Project description
Certbot DNS DuckDNS Plugin
Plugin for certbot for a DNS-01 challenge with a DuckDNS domain.
Table of Contents
About
certbot_dn_duckdns is a plugin for certbot to create the DNS-01 challenge for a DuckDNS domain. The plugin takes care of setting and deleting the TXT entry via the DuckDNS API.
Installation
Prerequirements
If you want to use the docker image, then you don't need any requirements other than a working docker installation and can proceed directly to the usage
If you prefer the local installation, then you need at least version 3.6 of Python installed. If you want to install this plugin with pip, then you also need pip3 installed.
If you already have certbot installed, make sure you have at least version 1.7.0 installed.
You can check what version of certbot is installed with this command:
certbot --version
If you don't have certbot installed yet, then the PyPI version of certbot will be installed automatically during the installation.
Note: If you want to run certbot with root privileges, then you need to install the plugin with root privileges too. Otherwise, certbot cannot find the plugin.
With pip (recommend)
Use the following command to install certbot_dns_duckdns with pip:
pip install certbot_dns_duckdns
You can also very easily update to a newer version:
pip install certbot_dns_duckdns -U
From source
git clone https://github.com/infinityofspace/certbot_dns_duckdns
cd certbot_dns_duckdns
pip install .
Usage
Note: You cannot create certificates for multiple DuckDNS domains with one certbot call. This is because DuckDNS only allows one TXT record. If certificates for several domains should be created at the same time, then the same number of distinct DNS TXT records must be created. To solve the problem, you simply have to make a separate certbot call for each domain.
Note that the certificate generation through Letsencrypt has rate limits. For testing, use the additional
argument --staging
to solve this problem.
Credentials file or cli parameters
You can either use cli parameters to pass authentication information to certbot:
...
--dns-duckdns-token <your-duckdns-token>
Or to prevent your credentials from showing up in your bash history, you can also create a
credentials-file duckdns.ini
(the name does not matter) with the following content:
dns_duckdns_token=<your-duckdns-token>
And then instead of using the --dns-duckdns-key
parameter above you can use
...
--dns-duckdns-credentials </path/to/your/duckdns.ini>
You can also mix these usages, though the cli parameters always take precedence over the ini file.
Local installation usage
To check if the plugin is installed correctly and detected properly by certbot, you can use the following command:
certbot plugins
Below are some examples of how to use the plugin:
Generate a certificate for a DNS-01 challenge of the domain "example.duckdns.org":
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org"
Generate a certificate for a DNS-01 challenge of the subdomain "cloud.example.duckdns.org":
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "cloud.example.duckdns.org"
Generate a wildcard certificate for a DNS-01 challenge of all subdomains "*.example.duckdns.org":
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "*.example.duckdns.org"
Generate a certificate for a DNS-01 challenge of the domain "example.duckdns.org" using a credentials file:
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-credentials </path/to/your/duckdns.ini> \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org"
Generate a certificate for a DNS-01 challenge of the domain "example.duckdns.org" without an account (i.e. without an email address):
certbot certonly \
--non-interactive \
--agree-tos \
--register-unsafely-without-email \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org"
Generate a staging certificate (i.e. temporary testing certificate) for a DNS-01 challenge of the domain " example.duckdns.org":
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org" \
--staging
Try to update all currently generated certificates:
certbot renew
You can find al list of all available certbot cli options in the official documentation of certbot.
Docker usage
You can simply start a new container and use the same certbot commands to obtain a new certificate:
docker run -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest \
certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-token <your-duckdns-token> \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org"
Or you can use a credentials file:
docker run -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" -v "/absolute/path/to/your/duckdns.ini:/conf/duckdns.ini" infinityofspace/certbot_dns_duckdns:latest \
certonly \
--non-interactive \
--agree-tos \
--email <your-email> \
--preferred-challenges dns \
--authenticator dns-duckdns \
--dns-duckdns-credentials /conf/duckdns.ini \
--dns-duckdns-propagation-seconds 60 \
-d "example.duckdns.org"
If you want to use the docker image to renew your certificates automatically, you can do this with the host cron, for example. To use this example you must have crontab and cron installed beforehand. Note that depending on the installation you may need to use the crontab of a root user to access the docker daemon or file directories. For example, use the following crontab expression:
0 3 */8 * * docker run --rm -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_duckdns:latest certbot renew
This will start a temporary docker container every 8 days at 3am and tries to renew expiring certificates.
An example for the usage with docker-compose can be found here.
FAQ
You can the FAQ in the wiki.
Third party notices
All modules used by this project are listed below:
Name | License |
---|---|
certbot | Apache 2.0 |
requests | Apache 2.0 |
zope.interface | ZPL-2.1 |
setuptools | MIT |
dnspython | ISC |
Furthermore, this readme file contains embeddings of Shields.io.
License
MIT - Copyright (c) 2021 Marvin Heptner
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for certbot_dns_duckdns-0.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 943901def32c08c7ae9a2aa9cf843a197ae200e3911c855c6ebc49b225fb9a70 |
|
MD5 | c808888845b30d0bbb42434375f0582d |
|
BLAKE2b-256 | 98ba06f41a488b1092583ffbf251d813c2db5da5771fc0c52b8f8ac719419ce8 |