External API interaction with DNS-01 challenge

Hi,

I'm trying to achieve the following:

  1. A user sends a LetsEncrypt verification request for their domain names via an API request.
  2. The API will run the command to get the TXT records for validations.
    /usr/local/bin/certbot --debug --email dev@elemento.io --no-eff-email --agree-tos certonly --no-redirect --keep --expand -d abc.ivfexplained.com.au -d xyz.ivfexplained.com.au --cert-name ivfexplained.com.au --preferred-challenges dns --manual
  3. The API will return the TXT records for the user to enter them.
  4. The API will send a LetsEncrypt to validate the domain and generate SSL certificate.

The problem is that the command (2) does not run interactively, every time it is entered a new TXT record is generated, and it always waits for user interaction " Press Enter to Continue

Any ideas how to implement this solution?

Thanks

I'm a bit confused about what you're trying to accomplish with your API. What are you trying to do by being "between" your API users and Let's Encrypt's servers?

Each order will use different challenge tokens, yes, so when you try to create an order and give the DNS tokens to the user, later once they complete it you'd need to finish the order. Certbot may not be the easiest ACME Client to integrate for this, but you might be able to put something together by using your own manual auth hook.

1 Like

Hi @AtoZ

I think that's the wrong way. Better: Certbot is the wrong tool to do that.

There are a lot of client libraries. Use one of these.

2 Likes

Of even better: don't do this at all.

If I understand this construction correctly, OP will generate the private key corresponding to the issued certificate for the user who's actually requesting the certificate from OP.

And we all know that's a BAD THING.

A managed hosting dashboard, where I don't expect the user to enter SSH and use certbot. Instead, I want to do it in API steps. First, tell the user to add the TXT records. Then, verify the user added them with another API call. The problem with certbot is that it doesn't let you do that in 2 steps, if you invoke the command, it generates the TXT records and does the verification in the same script.

Well, I think that (1) you may want to explore automating an HTTP-01 challenge for the user so they don't have to do anything, assuming you don't have control over the DNS being used but do control the web site, and (2) Certbot is probably one of the hardest clients to try to integrate since it's designed for people running on their own. You probably want some other ACME library or program.

I already automated it for HTTP-01 using certbot. I also investigated the hook. The hooks auto-run before and after the command, but it has no way to bypass the validation and replacing user's input. I tried yourivw/leclient - Packagist and it seems to work fine and generates 4 certificate files: public.pem, private.pem, certificate.crt, fullchain.crt - but i am quite unsure how to copy them to /etc/letsencrypt/ folder so they are synced with the other certificates. (I want to keep using certbot).

There is no good way to accomplish this. I built an API driven ACME client to handle a similar need.

An option you could explore, is having your users CNAME the acme-challenge record onto an acme-dns instance, and then messing with the internals of acme-dns database to make things more predictable. That would still require a massive amount of work on custom certbot scripts, or using another client. Nothing would be predictable.

Your use-case is sadly not in line with Certbot and most clients.

I also agree that Certbot isn't designed to make this easy. There's no prohibition on using Certbot for this in any sense, but it wasn't something that the Certbot developers had in mind or prioritized when writing the Certbot software.

I may have not read the thread carefully enough, but it sounds similar to how the Certbot hook for acme-dns works.

It (ab)uses --debug-challenges in order to provide the user a pause during which they can set up some prompted DNS records out-of-band.

Be wary though that --debug-challenges does not work during renewal - Certbot does not pause because it proceeds non-interactively. So it's really only good for bootstrapping _acme-challenge delegation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.