Is there a plugin (or way) to ask certbot to give me back DNS records needed for validation to issue a wildcard certificate?

My scenario is I have an erlang server that’s running which uses bash to call certbot to issue a certificate. This server also runs DNS, which has it’s own custom API (for adding DNS records).

I’m trying to issue wildcard certificates to my domain (ACMEv2). So my need is, I need to find a way to ask certbot to give me back the DNS records (in a non-interactive way) which prints them to STDOUT (ideally in JSON format), to parse the result and add them to my DNS server. This way I can make the final request to get my certificates with the required DNS records.

I tried using https://github.com/EnigmaBridge/certbot-external-auth, but, this tool requires manual input (asks if I can share email address). This does not give me what I need.

Any help is greatly appreciated!

Does this help?

It does, thank you! My solution:

certbot certonly --agree-tos --non-interactive --manual-public-ip-logging-ok --register-unsafely-without-email --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges=dns --manual-auth-hook /tmp/auth.sh --manual-cleanup-hook /tmp/cleanup.sh -d *domain.com


root@host:~# cat /tmp/auth.sh
#!/bin/bash

CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
TXT="$CERTBOT_VALIDATION"

echo "${CREATE_DOMAIN},${TXT}" > /tmp/challenge.txt

I now have a file with the TXT record that I can use to update my DNS server.

For what it's worth, it's dangerous to run that as root on a multi-user system. (And any system is "multi-user" if it gets compromised.) A regular user could, for example, do "ln -s /etc/passwd /tmp/challenge.txt" and trick Certbot into trashing /etc/passwd next time it runs. If they're clever, it could possibly be used for privilege escalation, rather than just causing damage.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.