File: PKG-INFO

package info (click to toggle)
python-certbot-dns-standalone 1.2.1-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 196 kB
  • sloc: python: 204; makefile: 14
file content (222 lines) | stat: -rw-r--r-- 6,251 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
 
Metadata-Version: 2.2
Name: certbot-dns-standalone
Version: 1.2.1
Summary: Standalone DNS Authenticator plugin for Certbot
Home-page: https://github.com/siilike/certbot-dns-standalone
Author: Lauri Keel
License: Apache License 2.0
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Plugins
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: System :: Installation/Setup
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Requires-Python: >=3.9
Description-Content-Type: text/x-rst
License-File: LICENSE.txt
Requires-Dist: acme>=0.21.1
Requires-Dist: certbot>=3.0.0
Requires-Dist: dnslib>=0.9.0
Requires-Dist: mock
Requires-Dist: setuptools
Provides-Extra: docs
Requires-Dist: Sphinx>=1.0; extra == "docs"
Requires-Dist: sphinx_rtd_theme; extra == "docs"
Dynamic: author
Dynamic: classifier
Dynamic: description
Dynamic: description-content-type
Dynamic: home-page
Dynamic: license
Dynamic: provides-extra
Dynamic: requires-dist
Dynamic: requires-python
Dynamic: summary

Standalone DNS Authenticator plugin for Certbot
===============================================

This is a Certbot plugin that uses an integrated DNS server to respond to the
``_acme-challenge`` records, so the domain's records do not have to be
modified.

Installation
============

pip
---

::

    # pip3 install certbot certbot-dns-standalone

snap
----

::

    # snap install certbot certbot-dns-standalone
    # snap set certbot trust-plugin-with-root=ok
    # snap connect certbot:plugin certbot-dns-standalone
    # snap connect certbot-dns-standalone:certbot-metadata certbot:certbot-metadata

Debian
------

::

    # apt-get install certbot python3-certbot-dns-standalone

Docker
------

See below.

Usage
=====

First, you need to pick a central address for certbot, e.g.
``acme.example.com``.

Next, the ``_acme-challenge`` records need to be pointed to
``$domain.acme.example.com`` using CNAME records, e.g. for ``example.net``:

::

    _acme-challenge  IN  CNAME  example.net.acme.example.com.

Finally, you need to point ``*.acme.example.com`` to certbot. There are two
options for that.

Firstly, if you have an IP address with port ``53`` available, you could
configure it as the nameserver for ``acme.example.com``:

::

    acme     IN  NS  ns.acme.example.com.
    ns.acme  IN  A   1.2.3.4

where ``1.2.3.4`` is the IP of the server where certbot will be run. This
configuration directs any requests to ``*.acme.example.com`` to ``1.2.3.4``
where the plugin will respond with the relevant challenge.

Any server can be used as long as port ``53`` is available which means that
a DNS server cannot be run at that particular IP at the same time.

You can then run certbot as follows:

::

    certbot --non-interactive --agree-tos --email certmaster@example.com certonly \
      --authenticator dns-standalone \
      --dns-standalone-address=1.2.3.4 \
      -d example.net -d '*.example.net'

Secondly, if you already run a DNS server you could configure it to forward
all requests to ``*.acme.example.com`` to another IP/port instead where you
would run certbot.

With Knot DNS you can use ``mod-dnsproxy``:

::

    remote:
      - id: certbot
        address: 127.0.0.1@5555

    mod-dnsproxy:
      - id: certbot
        remote: certbot
        fallback: off

    zone:
      - domain: acme.example.com
        module: mod-dnsproxy/certbot

Using this configuration all requests to ``*.acme.example.com`` are directed
to ``127.0.0.1`` port ``5555``.

You can then run certbot as follows:

::

    certbot --non-interactive --agree-tos --email certmaster@example.com certonly \
      --authenticator dns-standalone \
      --dns-standalone-address=127.0.0.1 \
      --dns-standalone-port=5555 \
      -d example.net -d '*.example.net'

By default the plugin binds to all available interfaces. The validation usually
takes less than a second.

To renew the certificates add ``certbot renew`` to ``crontab``.

Usage with Docker
=================

In order to use the latest image published in Docker Hub, run:

::

    docker run -it --rm --name certbot-dns-standalone \
      -v "/etc/letsencrypt:/etc/letsencrypt" \
      -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
      -p 8080:80 -p 1.2.3.4:53:53/tcp -p 1.2.3.4:53:53/udp \
      laurik/certbot-dns-standalone:latest certonly

where ``1.2.3.4`` is the IP address to use for responding the challenges. HTTP
challenges should be directed to port ``8080``.

``/etc/letsencrypt`` and ``/var/lib/letsencrypt`` need to be mapped to
permanent storage.

Alternatively, you may also build the plugin image locally by running:

::

    docker build -t certbot-dns-standalone-local /path/to/certbot-dns-standalone/

and then:

::

    docker run -it --rm \
      -v "/etc/letsencrypt:/etc/letsencrypt" \
      -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
      -p 8080:80 -p 1.2.3.4:53:53/tcp -p 1.2.3.4:53:53/udp \
      certbot-dns-standalone-local certonly

Supported parameters
====================

Parameters can be specified as ``--dns-standalone-PARAMETER=VALUE``. For older
certbot versions it should be
``--certbot-dns-standalone:dns-standalone-PARAMETER=VALUE``.

Supported parameters are:

* ``address`` -- IPv4 address to bind to, defaults to ``0.0.0.0``
* ``ipv6-address`` -- IPv6 address to bind to, defaults to ``::``
* ``port`` -- port to use, defaults to ``53``

The relevant parameters in ``/etc/letsencrypt/renewal/*.conf`` are
``dns_standalone_address``, ``dns_standalone_port`` and
``dns_standalone_ipv6_address``.

Third party projects
====================

Third party projects integrating certbot-dns-standalone:

* `CertCache <https://github.com/93million/certcache>`_