Godaddy DNS API plugin for CertBot

I would be GREAT if a plugin were created for Godaddy DNS API.
Thought I'd Mention it.
Rip

1 Like

certbot currently doesn't include more DNS plugins since a while now, see Developer Guide — Certbot 1.16.0.dev0 documentation for more info.

That said, there's a third party plugin: GitHub - miigotu/certbot-dns-godaddy: A godaddy dns plugin using lexicon for cerbot to authenticate and retrieve letsencrypt certificates It's mentioned in the third party plugin list from the certbot documentation: User Guide — Certbot 1.16.0.dev0 documentation

4 Likes

CertSage doesn't use dns-01 challenges, but could. The previous clients I authored did. Maybe I should add this to my todo list.

@griffin Could that be integrated with the cPanel """interface""" too perhaps? If the DNS is managed by cPanel that is..

2 Likes

Possibly. I've seen that I can add DNS records in my cPanels and yet they only ever contain some default mail record. Oddly, the actual DNS records (including the real MX records) never show up in cPanel. It's almost as if cPanel is presenting some "secondary" DNS, which makes very little sense to me

IIRC, "Zone Editing" on cPanel is reserved for the instance/serve admins. I also believe, between cPanel's design and the environments it is typically installed in, the editing only works if that system is designated the DNS server (why would you do that? why?!?!?) or is delegated for DNS from an upstream server. i.e. it's rare for cPanel to actually manage real DNS, and it doesn't manage upstream services.

I haven't touched that thing in many years and even back then I told people to run away from it whenever they asked for help. I'm sure things have changed, but this was the status-quo a while back.

2 Likes

That certainly confirms many of my concerns. I switched CertSage to use http-01 challenges for simplicity and reliability while I used to only use dns-01 challenges in previous renditions of the software. I have mixed feelings regarding automated DNS changes. On the one hand, they offer great integration by enabling dependent functionality (like satisfying ACME dns-01 challenges). On the other hand, they are windows instead of walls that hopefully won't become doors.

I might be able to operate outside of cPanel for DNS if there is such an API that's functional (and secure). My big concern there is that I'm then trying to code around users' misunderstandings about who their domain registrars (or DNS providers) are as compared with who their hosting providers are. Even with the upcoming cPanel integration for certificate installation, CertSage will be armored against such misconceptions (and work for certificate installation for any cPanel system, not just GoDaddy's).

Maybe there's a maintained list of common authoritative DNS providers and their name servers?
I found an old one created by Intermedia. How Do I Add MX Records For My Domain (various DNS providers)? - Intermedia Knowledge Base

P.S. Just like what Google Workspace did to recognize the DNS provider when you add a new domain.

2 Likes

Which is a fine concept except that I don't feel that I have the wherewithal, especially for a donation-based project, to:

  • code intelligence into the client to detect the DNS provider
  • guard against inappropriate credentials provided by users
  • facilitate the spectrum of DNS providers and their non-standardized APIs

The last item is particularly egregious and what I believe is the Achilles heel of dns-01 automation as a whole. Unlike cPanel certificate installation, which can almost universally be accomplished through the uapi command line, DNS automation is basically subject to the implementation du jour.

Standardization. Sure, it has its limitations, but without it we're left with 5000 flavors of iPhone charger.

SO to solve my immediate issue(s) I started using acme.sh. Flawless (in my case scenario) I still have ONE domain on netsol that is proving to be difficult to move because of a ton of emails and other things my client can't seem to let go of..

Obviously I use GoDaddy DNS and host the sites on my servers. Other than some secondary validation failures (LE) that do occur from time to time I have had no issues with acme.sh.

If certbot had the plugin I never would have needed to make a change. To choose from the lesser of two evils, GoDaddy DNS makes sense to me and does allow CAA records unlike the competitor.

The resulting situation is to use 2 (two) clients for my needs. Hence this feature request.

1 Like

Well... no dice. :game_die: :game_die: Sorry @Rip. :confused:

The Certbot team is not currently accepting any new DNS plugins because we want to rethink our approach to the challenge and resolve some issues like #6464, #6503, and #6504 first.

In the meantime, you’re welcome to release it as a third-party plugin. See certbot-dns-ispconfig for one example of that.

2 Likes

@Rip & @griffin I'm pretty sure my first post is still actual....

@Rip If the third party GoDaddy certbort DNS plugin isn't what you were looking for, perhaps you could modify the acme.sh DNS script to work with certbot in manual auth hooks, if you really want to use certbot in stead of acme.sh. Work-around, I know, but a possible option.

1 Like

Sorry @Osiris. I actually spaced the plugin you mentioned. Oddly, I can't recall anyone ever asking for help with usage of that plugin. :thinking: Is it functioning/maintained?

Adding: multiple first-party godaddy-plugins have been refused inclusion based on the grounds @Osiris linked to. Some of those include:

Using the third party dns plugin or lexicon is the correct mechanism.

2 Likes

Probably harder to find and perhaps therefore less in use?

1 Like

You're probably right. In my head anytime there's a piece of software with no one asking for help, I equate that to it being a piece of software with no users. I mean, it could be perfect, but where there's software there's someone to break it.

The two plugins mentioned by @jvanasco haven't seen commits since 3 and 2 years, respectively. The one I mentioned at the top is actively maintained it seems, with a last commit just 23 days ago.Well, its last commit is indeed 23 days ago, but the first commit is also in that ball park with 24 days ago.. So I guess it's just new, can't say it's also actively maintained yet :stuck_out_tongue: Might be buggy as (#)$*() :smiley:

2 Likes

That's a good start. I wonder if it has any external users though.

Oh! :hushed: A new toy. Good on them.

See my edit, it's brand new.. So probably not many if any.

2 Likes