Is there a plugin (or way) to ask certbot to give me back DNS records needed for validation to issue a wildcard certificate?


#1

My scenario is I have an erlang server that’s running which uses bash to call certbot to issue a certificate. This server also runs DNS, which has it’s own custom API (for adding DNS records).

I’m trying to issue wildcard certificates to my domain (ACMEv2). So my need is, I need to find a way to ask certbot to give me back the DNS records (in a non-interactive way) which prints them to STDOUT (ideally in JSON format), to parse the result and add them to my DNS server. This way I can make the final request to get my certificates with the required DNS records.

I tried using https://github.com/EnigmaBridge/certbot-external-auth, but, this tool requires manual input (asks if I can share email address). This does not give me what I need.

Any help is greatly appreciated!


#2

Does this help?


#3

It does, thank you! My solution:

certbot certonly --agree-tos --non-interactive --manual-public-ip-logging-ok --register-unsafely-without-email --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges=dns --manual-auth-hook /tmp/auth.sh --manual-cleanup-hook /tmp/cleanup.sh -d *domain.com


root@host:~# cat /tmp/auth.sh
#!/bin/bash

CREATE_DOMAIN="_acme-challenge.$CERTBOT_DOMAIN"
TXT="$CERTBOT_VALIDATION"

echo "${CREATE_DOMAIN},${TXT}" > /tmp/challenge.txt

I now have a file with the TXT record that I can use to update my DNS server.


#4

For what it’s worth, it’s dangerous to run that as root on a multi-user system. (And any system is “multi-user” if it gets compromised.) A regular user could, for example, do “ln -s /etc/passwd /tmp/challenge.txt” and trick Certbot into trashing /etc/passwd next time it runs. If they’re clever, it could possibly be used for privilege escalation, rather than just causing damage.

https://capec.mitre.org/data/definitions/132.html


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.