1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
Metadata-Version: 2.1
Name: certbot-dns-standalone
Version: 1.1
Summary: Standalone DNS Authenticator plugin for Certbot
Home-page: https://github.com/siilike/certbot-dns-standalone
Author: Lauri Keel
License: Apache License 2.0
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Plugins
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: System :: Installation/Setup
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Requires-Python: >=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*
Description-Content-Type: text/x-rst
Provides-Extra: docs
License-File: LICENSE.txt
Standalone DNS Authenticator plugin for Certbot
===============================================
This is a plugin that uses an integrated DNS server to respond to the
``_acme-challenge`` records. Simultaneous challenges are supported.
A subdomain needs to be created that defines certbot as its nameserver,
e.g. for ``acme.example.com``:
::
acme IN NS ns-acme.example.com.
ns-acme IN A 1.2.3.4
where 1.2.3.4 is the IP of the server where certbot will be run. This
configuration directs any requests to ``*.acme.example.com`` to 1.2.3.4
where the plugin will respond with the relevant challenge.
Any server can be used as long as port 53 is available which means that
a DNS server cannot be run at that particular IP at the same time.
The plugin binds to all available interfaces. The validation usually
takes less than a second.
Next, ``_acme-challenge`` for the domain that the certificate is
requested for must be configured as a CNAME record to
``domain.acme.example.com``, e.g. for ``example.net``:
::
_acme-challenge IN CNAME example.net.acme.example.com.
This means that any requests to ``_acme-challenge.example.net`` should
be performed to ``example.net.acme.example.com`` instead which is where
our certbot runs. No further changes to the DNS of ``example.net`` are
necessary.
Installation
============
::
# pip3 install certbot certbot-dns-standalone
Usage
=====
Just run ``certbot certonly`` and use the
``dns-standalone`` plugin:
::
# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Obtain certificates using an integrated DNS server
(certbot-dns-standalone:dns-standalone)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator dns-standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): *.example.net
Non-interactive usage:
::
certbot --non-interactive --agree-tos --email certmaster@example.com certonly \
--preferred-challenges dns --authenticator dns-standalone \
--dns-standalone-address=0.0.0.0 \
--dns-standalone-ipv6-address=:: \
--dns-standalone-port=53 \
-d example.com
To renew the certificates add ``certbot renew`` to ``crontab``.
Parameters supported
--------------------
Parameters can be specified as ``--dns-standalone-PARAMETER=VALUE``. For older certbot versions it should be ``--certbot-dns-standalone:dns-standalone-PARAMETER=VALUE``.
Supported parameters are:
* ``address`` -- IPv4 address to bind to, defaults to ``0.0.0.0``
* ``ipv6-address`` -- IPv6 address to bind to, defaults to ``::``
* ``port`` -- port to use, defaults to 53
Third party projects
====================
Third party projects integrating certbot-dns-standalone:
* `CertCache <https://github.com/93million/certcache>`_
|
