The certbot-hooks are two scripts which can be used as pre- and post-validation hook for certbot when run in manual mode to validate domains by DNS challenge via deSEC. It is based upon the hook.sh script provided by Peter Thomassen and Nils Wisiol to allow dedyn.io DNS challenge validation (see Credits below).
The main differences to the script provided by the authors above is that it is not limited to a dedyn.io domain and that the authorization token can be provided for single domains, allowing certbot to validate domains owned by different accounts in deSEC. Moreover, the single script has been divided into two, allowing easier exchange of either the pre- or post-validation hook.
See Pre and Post Validation Hooks in the certbot user guide and TLS Certificate with Let’s Encrypt in the deSEC docs for further reference.
These scripts are intended to be used for the certbot pre- and post validation hooks, which are supplied to certbot with the --manual-auth-hook and --manual-cleanup-hook command line options. Any other program for the creation or renewal of certificates doing a DNS validation could use these scripts in a similar way. The program just have to pass the environment variables CERTBOT_DOMAIN (the domain being authenticated) and CERTBOT_VALIDATION (the validation string) to the scripts.
Further prerequisites:
- curl
- jq
-
Copy all files to a single location, i.e.
/etc/letsencrypt. Any directory is ok, but the filesDOMAIN.desecauthanddesec.confhave to be placed into the same directory as the scriptsdesec_auth_hook.shanddesec_cleanup_hook.sh. While the scripts should be executable, theDOMAIN.desecauthfile(s) should be chmod 600, as they contain the token used to authenticate gainst the deSEC API. -
Rename the file
DOMAIN.desecauthto match the domain part of the certificate which shold be created or renewed by DNS challenge, i.e.example.com.desecauthfor theexample.comdomain. If there are multiple domains to be created or renewed, you need multiple files with matching names. -
Check the values in the file
desec.conf. You could change the sleep timer and the TTL. If you do not provide a TTL (TTL=), it will be read from deSEC.
Provide the scripts to certbot with the mentioned command line options, i.e.
certbot --manual-auth-hook=/etc/letsencrypt/desec_auth_hook.sh --manual-cleanup-hook=/etc/letsencrypt/desec_cleanup_hook.sh ...
Peter Thomassen and Nils Wisiol for the Hook for certbot DNS challenge automatization.