Need API documentation


#1

What’s the current state of the Let’s Encrypt / ACME python API, if indeed there is one?

I’m trying to script a renewal for wildcard domains. I already have a set of classes written against the my DNS provider’s (Linode) API so that I can manage the setup and removal of _acme-challenge TXT records, but I’ll need to do the following programatically, normally performed by certbot from the CLI:

  • Possibly define a server at LetsEncrypt (acme-v02.api.letsencrypt.org)
  • Register my account with the server
  • Confirm my acceptance of IP address logging, if necessary
  • Establish the DN for which to generate a wildcard cert
  • Retrieve the DNS challenge cookies
  • Kickstart the key/cert generation
  • Retrieve the cert, key and chain PEM files for local use

The rest is just python programming, Once I have the DNS challenge cookeis I can programmatically create DNS records for them, and handle the file placement, symlinks and data structures as necessary on the local end.

I note that there are a lot of python modules and files under /usr/lib/python3/dist-packages/certbot/ but a comprehensive guide to registering with the API and programming against it will be really helpful. Does such a beast exist? I can always RE the code in /usr/bin/certbot but I always prefer good API documentation.


#2

This isn’t a direct answer, but can you turn this problem inside out?

Certbot has a Linode DNS plugin. Can you use it?

https://certbot-dns-linode.readthedocs.io/en/stable/

If you still want to use your own implementation, you can write your own Certbot DNS plugin, perhaps based on certbot-dns-linode, or one of Certbot’s other plugins. (It might be easier to take inspiration from one of the plugins that doesn’t use Lexicon.)

You could also write your own manual auth hook. It’s a different interface, where Certbot executes a program that can be written in any language, passing it some environment variables.

If all you want to do is use a custom DNS plugin, you shouldn’t need to (re)implement a whole ACME client.


#3

Hi @fmouse

you need the normal ACME documentation. So

https://tools.ietf.org/html/draft-ietf-acme-acme-18

is your start.

Then implement the new-account and new-order. The new-order has the other steps.


#4

Thanks! I’m not sure starting from defining protocol documents will be an effective use of my time, since really all I need is a well-documented python API. mnordhoff’s suggestion to use an existing plugin which leverages the Linode DNS API may be more useful.


#5

Thanks for this suggestion, mnordhoff! I don’t really have time to reinvent the wheel, so using the certbot-dns-linode plugin may be the best way to go. My objective is to be able to automate renewal of my main DN’s wildcard cert so I don’t have to redo it manually every 3 months. Whatever is simplest and works for this purpose is what I need.


#6

You might want to take a look at

if you specifically want to write your own Python code. (This was originally written by Jakub Warmuz and is the implementation of the ACME protocol that Certbot uses, but it could be used by other clients too.)

But if you want the simplest possible solution, I agree that finding an appropriate Certbot plugin for your environment is a lot simpler than writing a new ACME client implementation!