The IONOS Cloud DNS Certbot Plugin automates SSL/TLS certificate creation for IONOS Cloud zones. It implements the Authenticator interface which is used by Certbot to perform a DNS-01 challenge.
To make use of the plugin, the following is needed:
- an IONOS Cloud account
- an access token (a token can be obtained from the DCD token manager or through the Authentication API)
pip install certbot-dns-ionos
| Argument | Example | Description |
|---|---|---|
--authenticator |
dns-ionos | Tells certbot which plugin to use. dns-ionos should be used for this plugin. |
--dns-ionos-credentials |
./credentials.ini | Denotes the directory path to the credentials file. Required. |
--dns-ionos-propagation-seconds |
120 | Configures the duration in seconds that certbot waits before querying the TXT record. (Default: 120) |
As mentionned in the previous section, the --dns-ionos-credentials needs to point to an ini file containing the IONOS API access token. The file must contain the ionos_dns_token key with the value of the access token.
dns_ionos_token=YOUR_API_JWT_ACCESS_TOKEN
certbot certonly \
--authenticator dns-ionos \
--dns-ionos-credentials /path/to/credentials.ini \
--dns-ionos-propagation-seconds 60 \
--agree-tos \
--rsa-key-size 4096 \
-d 'example.com' \
-d '*.example.com'
In the background, the plugin will try to find your zone. If found, it will create a TXT record for the DNS-01 challenge. At the end of the process, the TLS/SSL certificate is generated and the TXT record is deleted.
If you encounter any issues or have suggestions, please feel free to open an issue.
This project is licensed under the Apache License 2.0 License - see the LICENSE file for details.
To develop and test the plugin locally, it is recommend to create a python virtual environment. For example: python -m venv .venv
After activating the virtual environment, the following command should be used to install the project to the virtual environment local site packages: pip install -e .
Afterwards, any changes made to the plugin will be directly reflected when executing the certbot certonly --authenticator dns-ionos (without the need to execute pip install again).
It's important to note that the following arguments need also to be provided when developing locally in a virtual environment --logs-dir, --config-dir, --work-dir, otherwise the certbot will attempt to use the global folders for logging, configuration, and work. This may not work because of the lack of permissions, so you may see errors like below if those arguments are not set:
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
As explained by the error message, to be able write to /var/log/letsencrypt/, root permissions are needed. However, when running as a root (e.g sudo certbot), the global certbot package will be used and not the one from the virtual environment. The solution is to set --logs-dir, --config-dir, and --work-dir to a different folder for which the current user has write permissions.
unit tests can be run using: make test
It's important to note that this plugin targets IONOS Cloud DNS service. IONOS offers a different service for managing DNS zones, refered to as IONOS Developer DNS API. For the latter, there is dedicated plugin managed by the community: https://github.com/helgeerbe/certbot-dns-ionos