does certbot perform a DNS01 self-check during the challenge process with Lets Encrypt? I suspect not, which is a good thing in my case but it would be nice to get it confirmed. I don't see it mentioned in the documentation.
I am not sure this will work but you might try and use
--pre-hook to perform this validation.
You should get enough environment variables to do it, but I'm not sure if certbot stops when the hook exits with nonzero exit codes.
I think the pre-hook is run before any validation stuff starts. As pre-hooks can also be used to e.g. stop webservers et cetera when using the
Yes, that's the point, possibly using the hook as an hack to tell certbot whether to proceed with validation or not.
I still don't know if it works. (It's only useful in pretty limited use cases, imo)
edit: Oh, I get what you mean: there's no tokens generated at that time. Using an hook like that needs the hook to run after the challenge is set up but before the order is finalised.
Well, as I wrote, for us no self-check is a good thing so I hope they keep it that way.
Yes, given as adding that could be a "breaking change" I am sure they would offer a command line option to enable / disable it. I haven't seen it asked for by others so I can't imagine it would be a priority for them.
This does not currently happen within Certbot's code, and I don't think it ever could due to how the DNS-01 challenge is implemented and preserving backwards compatibility.
IIRC, the correct way to do this is either:
- within a Certbot DNS plugin
- within a manual auth hook script
While I don't see this happening within Certbot, I believe it could happen at any time to a Certbot DNS validator plugin. I believe some plugins did checks, and many directions for creating manual auth's have featured this. (I recall that self-checks have surfaced application-layer caching issues with some DNS providers in the past).
Even the most basic additions to the code (just a few lines) aren't making it. So even if this would be a feature request, I don't see it being added the following years.
certbot-dns-route53 does this. The boto3 library waits until it gets the "everything is propogated!" signal. Thus that's not something Certbot actually does, but the library the plugin relies on.
That's more just waiting for the API to say that the servers are all updated, it's not actually making a check from the client to the public DNS server to ensure that it looks correct from the client's perspective.
And in general, I think that split-horizon DNS is common enough that it wouldn't make sense a lot of times for a client like certbot to just do a self-check, and even if it did end up adding one by default then there would need to be an easy way to configure the DNS server to use or turn it off.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.