Certbot: allow grabbing a token, stop the tool, upload to DNS and run certbot again


#1

Hello.

since my DNS (infoblox) is not in the supported list, I have created my own python wrapper, which works perfectly (even for multidomain and wildcard) and does the following:

List item

  • dry-runs certbot once as following:
    certbot certonly -c /etc/letsencrypt/cli.ini -d host1.domain -d host2.domain --dry-run </dev/null

note the </dev/null, which cause a script interruption. Without this trick, the token changes.

  • upload the DNS challenge on Infoblox

  • run certbot again, without dry-run and without </dev/null at the end.

  • delete the challenges from Infoblox

Right now it works like a charm, but it’s a hacky solution (and since I have seen that you keep changing your tool, this approach is not officially supported and may stop working in the future).


#2

I think you might prefer the manual authenticator, with the --manual-auth-hook flag. This allows you to execute a script before the process continues. You could use place your DNS update logic in this script, and only require a single invocation of Certbot. You will also want to look at the Hooks section of the documentation.


#3

Thank you.
That makes sense, but… right now I use python subprocess (acme library is not easy to pick and use… I’ll need more time) and I grab the token from from “stdout”.

But, if subprocess is still being executed, can I flush the output to grab the token?

Now I’m writing from my mobile and I can’t do any test but it’s something in between crappy and creepy.

It would be nice to have a clean process to get the tokens.


#4

The manual authenticator mentioned by @jared.m is the intended way to implement things like this: the token is passed to your script as an environment variable. And it’s documented what the variable is called, so you don’t have to scrape the stdout output to get the token!


#5

thank you all!
It was very easy and I made it very difficult :slight_smile: