How to install a DNS plugin?


#1

description

  • My server is Ubuntu 18.04
  • I used certbot certonly mode

Now the question is my certs could not be renewed in auto way or manual way.

And, I know the question is from the DNS plugin. I was trying to read the doc more and more. But I really cannot understand.
About two months ago, I obtain the certs. It works. Yesterday, I received the bot’s email. It told me, my certs will expire in 20 days. I know It means the auto-renew program is not right in my server.

I used this command line:
certbot certonly -d 'wujian.rocks' -d '*.wujian.rocks' --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
after this command, I added two TXT record to my dns record. There are no mistake until this time.

It works. But, It cannot auto renew and manually renew. The terminal shows:
$ certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wujian.rocks.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (wujian.rocks) from /etc/letsencrypt/renewal/wujian.rocks.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wujian.rocks/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wujian.rocks/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Plugin problem

I was install the one of plugin ’ certbot-dns-google’
pip install certbot-dns-google, It was installed, and it also in the pip lists
But, the terminal shows:
Could not choose appropriate plugin: The requested dns-google plugin does not appear to be installed The requested dns-google plugin does not appear to be installed

I know that I need to use a plugin to apply for a wildcard certificate.But I still don’t understand the document.
So I used ‘certbot certonly --manual’ mode two months ago. Maybe this is a stupid practice.

add some words

When I first time use certbot. I didn’t obtain the wildcard cert. So the command certbot renew --dry-run works fine.

In summary, both of them works fine. I only need to install a plugin that works fine.


#2

As you seem to have done, you can run the same command again to renew it manually, setting new TXT records.

certbot renew” can only renew certificates that can be managed automatically.

How did you install Certbot? If you used apt, you can install the certbot-dns-google plugin with “sudo apt install python3-certbot-dns-google”.

However, your domain is using NameSilo’s DNS service, not Google Cloud DNS.

Do you want to switch DNS providers?

Certbot doesn’t have an official NameSilo DNS plugin at the moment. If you’re a Python programmer, you could create one. You could look for other options – I found a hook on Google, but I haven’t tried it. You could also switch to an ACME client with built-in NameSilo DNS support, such as acme.sh.


#3

Thank you very much.

I used apt-get to install, like the official site certbot shows:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

Yes, I didn’t use google dns service. This is exactly one of my little puzzles. Why are there so many dns plugins? :laughing:

Maybe I will trying to create a plugin or use acme.sh. I renewed it manually today. Before the next expire, I want to do some try.

Does letencrypt have a dns plugin interface or documentation, I want to try to write a DNS plugin. But I didn’t search any information just now.

Currently I don’t know the communication mechanism between letencrypt service and dns providers.
Could please tell me some information?


#4

Because there’s a standard way to update DNS records – Certbot has a plugin for it! – and thousands of DNS providers that don’t use it. :slightly_frowning_face: So instead people write software to deal with unique HTTPS APIs.

I don’t know exactly where exactly to start.

There’s a Python library called Lexicon that provides an interface to a bunch of different DNS APIs, including NameSilo. Most of Certbot’s DNS plugins use it.

So the process for creating a Certbot NameSilo plugin would basically be to copy and paste one of the other ones (e.g. certbot-dns-cloudxns, to pick the first one alphabetically), then find and replace all of the names.

There’s an open feature request for adding a NameSilo plugin to Certbot, but there’s also an ongoing debate about how Certbot should approach DNS plugins in the future.




Certbot can also be extended a different way, with the --manual-auth-hook and --manual-cleanup-hook options, which can run an arbitrary program and pass it the necessary validation information with environment variables.

Earlier, I alluded to a blog post about a NameSilo hook written in Go. (I don’t know if it’s good, or if it still works, or if it supports creating two TXT records with the same name, which you would want to do when validating example.com and *.example.com.)


https://www.varstack.com/2017/12/08/Automating-HTTPS-certs/

I don’t want to force to to write a plugin, but if you’re a Python programmer and you want to, it might be worthwhile. You also have other options, like continuing to renew manually, using an alternate ACME client, or using an alternate DNS service.


#5

Thank you! Your helps are useful!


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.