GoDaddy DNS and Certbot DNS Challenge Scripts

Hi All,

As people may know (perhaps what let them find this thread) is that if you use GoDaddy as a DNS provider, it is not a built-in DNS provider for CERTBOT to use for DNS Authentication for LetsEncrypt certificates.

My situation is that I am using LetsEncrypt for internal services use, and so auto-generation scripts for a web browser will not work - these certificates are for specific internal-only web services.

Do generate the certs can be done manually and by using the GoDaddy DNS interface, but that is not so good when you need to renew the certs.

The following is provided for others who may not be as comfortable to get this working via a scripted/automated way. I am sure these scripts are not perfect - but they do work for my purposes in my lab - do with them as you see fit - and please be aware of the security ramifications of exposing API keys and secrets (used for GoDaddy API calls) in a script - please change the way this is working for real usage outside of a low-security environment!!!

Summary:

My lab is based on a simple debian linux environment - so commands are based on that!

The process I used includes:

  1. the install and enablement of CERTBOT
  2. the creation of an API key and secret in GoDaddy for access to the API calls for the GoDaddy account
  3. the creation of custom scripts for use by CERTBOT to perform domain validation via DNS authentication process
  4. The command to get a certificate from LetsEncrypt

The process DOES NOT include information on how to use the certs - that's left to you all!

STEP 1: CERTBOT install/enablement

sudo apt-get update
sudo apt-get install snapd -y
export PATH=$PATH:/snap/bin
sudo snap install certbot  --classic
sudo certbot register --agree-tos -m email@emaildomain.ext -n

STEP 2: GoDaddy API Keys

  • go to api.godaddy.com and login to your account
  • under "API Keys" tab, select CREATE NEW API KEY button
  • choose PRODUCTION option for real usage, and give it a name for easy reference and generate
  • Copy the KEY and SECRET provided to a safe location for use, then click GOT IT button.

STEP 3: Custom Scripts
Now you will need to create 2 files - one is the DNS commands to create a new record in the GoDaddy DNS, and the second is to remove that record after the certificate verification process happens. You need to create these in a safe location on your system, for this example, I am simply using the /root/ home folder.
Note: the API information is hard coded in these scripts in this example! This is not best practice!

Script #1: godaddydnsauth.sh

#!/bin/bash
#Enter your API key info from GODADDY
API_KEY="APIKEY:APISECRET"
#Strip only the top domain to get the zone id
#the domain is passed to this script from the certbot script
#this splits it in to 2 variables one each for the domain and the node
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ITEM=$(expr match "$CERTBOT_DOMAIN" '\(.*\)\..*\..*')
#Create TXT record
#this is required to verify ownership of the domain by LetsEncrypt
#the content of the TXT record is provided by the Certbot script
#the TTL cannot be lower than 600 for godaddy
#this TXT record will remain as this script does not clean it up
#another script can do that if desired
CREATE_DOMAIN="_acme-challenge.$ITEM"
[[ "${ITEM}" == '*' ]]  && CREATE_DOMAIN="_acme-challenge"
curl -X PATCH "https://api.godaddy.com/v1/domains/${DOMAIN}/records" \
     -H     "Authorization: sso-key $API_KEY" \
     -H     "Content-Type: application/json" \
     --data '[{ "type":"TXT", "name":"'"$CREATE_DOMAIN"'", "data":"'"$CERTBOT_VALIDATION"'", "ttl":600}]'
#Sleep to make sure the change has time to propagate over to DNS
sleep 60

Script #2: /root/godaddydnsauthclean.sh

#!/bin/bash
#Enter your API key info from GODADDY
API_KEY="APIKEY:APISECRET"
#Strip only the top domain to get the zone id
#the domain is passed to this script from the certbot script
#this splits it in to 2 variables one each for the domain and the node
DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ITEM=$(expr match "$CERTBOT_DOMAIN" '\(.*\)\..*\..*')
#Create TXT record
#this is required to verify ownership of the domain by LetsEncrypt
#the content of the TXT record is provided by the Certbot script
#the TTL cannot be lower than 600 for godaddy
#this TXT record will remain as this script does not clean it up
#another script can do that if desired
CREATE_DOMAIN="_acme-challenge.$ITEM"
[[ "${ITEM}" == '*' ]]  && CREATE_DOMAIN="_acme-challenge"
curl -X DELETE \
"https://api.godaddy.com/v1/domains/${DOMAIN}/records/TXT/${CREATE_DOMAIN}"  \
-H "Authorization: sso-key $API_KEY" \
-H "Content-Type: application/json" \
--data '[{ "type":"TXT", "name":"'"$CREATE_DOMAIN"'" }]'

After Script Commands:
These are required to make the scripts executable by CERTBOT

chmod u+x /root/godaddydnsauth.sh
chmod u+x /root/godaddydnsauthclean.sh

STEP 4: Create Certificate

This final step is simply creating a certificate manually using the following command structure:

certbot certonly --manual --preferred-challenges=dns \
--manual-auth-hook /root/godaddydnsauth.sh \
--manual-cleanup-hook /root/godaddydnsauthclean.sh \
-d *host.domain.ext*

Your certs should be created and stored in the default LetsEncrypt folder and you will be informed where it will be placed.

I do hope this walk-through helps others through the initial process for trying to automate getting certificates for non-public environments from LetsEncrypt when using GoDaddy-hosted DNS services.

1 Like

A friendly reminder for those who might find this thread.

You do not have to use the DNS provided by your domain registrar. There are a number of other free or low cost DNS providers out there with better API support, better performance, better UI, etc.

Decoupling your domain registration from your DNS also makes it much easier to move to another registrar without disrupting the services running on your domain.

6 Likes

Absolutely! Great point. For my purposes, using GoDaddy was an easier solution than changing an existing domain configuration, which is what led me to this challenge. Cheers!

2 Likes

Thanks for the great post!

I've slightly modified it (changes <pre> to ``` so the code shows better in my browser; some lines were cut off for some reason and I couldn't find a way to see the entire length of the line) for better readability.

Also note that the recommended method of installing Certbot is by using snap for most distributions. Especially distro's like Debian often have outdated versions.

4 Likes

Thanks - I will look to update using snap - I had been doing that prior but for my quick lab I was using default versions in the repo as per this example! Thanks!
My first post here so I struggled with formatting... :slight_smile:

4 Likes

A post was split to a new topic: Problem renewing cert - using CF DNS

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.