v2: authenticate via app password + use dns.yeil.app public API
Replaces direct dns-server RPC calls (admin shared key, NetBird-only reachability) with calls to the public /api/v1 surface. The plugin now logs in with an email + app password, caches the returned Bearer for the run, then findZone/addRecord/deleteRecord through HTTPS. Any yeil user with an owned DNS zone can use it from anywhere with internet access — no more shared key, no NetBird requirement. INI shape: dns_yeil_email = you@yourdomain.com dns_yeil_app_password = abcd-efgh-ijkl-mnop # dns_yeil_base_url = https://dns.yeil.app (optional override) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
eskimo
41
README.md
41
README.md
@@ -2,13 +2,13 @@
|
||||
|
||||
yeil DNS Authenticator plugin for [Certbot](https://certbot.eff.org/).
|
||||
|
||||
Talks to the yeil dns-server's RPC over HTTP Basic auth — the same RPC the
|
||||
yeil DNS web app uses. Use this on hosts that can reach the dns-server
|
||||
directly (NetBird-attached, typically). For internet-only clients, expose
|
||||
an HTTP API in front of the RPC and write a separate plugin against it.
|
||||
Authenticates against `dns.yeil.app`'s public API with an email and an
|
||||
app password, then adds/removes TXT records to satisfy ACME DNS-01
|
||||
challenges. Works for any yeil user with an owned DNS zone — the
|
||||
certbot host just needs HTTPS reachability to `dns.yeil.app`.
|
||||
|
||||
Wildcard certs require DNS-01, so this plugin (or another DNS authenticator)
|
||||
is needed for `*.example.com`.
|
||||
Wildcard certs require DNS-01, so this plugin (or another DNS
|
||||
authenticator) is needed for `*.example.com`.
|
||||
|
||||
## Installation
|
||||
|
||||
@@ -18,17 +18,21 @@ pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
|
||||
|
||||
## Configuration
|
||||
|
||||
The plugin reads `yeil_rpc_url` and `yeil_rpc_key` from a credentials INI.
|
||||
Create an app password at `https://account.yeil.app/security` and
|
||||
drop it into a credentials INI:
|
||||
|
||||
```ini
|
||||
dns_yeil_rpc_url = http://100.123.x.x:6969
|
||||
dns_yeil_rpc_key = the-rpc-key-from-dns-server-config
|
||||
dns_yeil_email = you@yourdomain.com
|
||||
dns_yeil_app_password = abcd-efgh-ijkl-mnop
|
||||
```
|
||||
|
||||
`chmod 600` it.
|
||||
|
||||
`yeil_rpc_url` is the URL of any one of the dns-server NSes — they share
|
||||
the underlying Postgres so writes propagate either way.
|
||||
Optional override if you're testing against a non-production host:
|
||||
|
||||
```ini
|
||||
dns_yeil_base_url = https://dns.staging.example
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
@@ -51,8 +55,13 @@ certbot certonly \
|
||||
|
||||
## How it works
|
||||
|
||||
For each requested name, the plugin walks up the labels and calls the
|
||||
dns-server's `findzone` RPC until it finds the registered zone. It then
|
||||
creates a TXT record at `_acme-challenge.<rel>` via `addrecord`, waits
|
||||
for propagation, and on cleanup calls `deleterecord` with the saved
|
||||
record id.
|
||||
The plugin logs in once per run (`POST /api/v1/auth/login`) and caches
|
||||
the returned Bearer token. For each requested name it asks the API
|
||||
which zone the account owns that covers the FQDN
|
||||
(`GET /api/v1/zones?suffix_of=<fqdn>`), creates a TXT at
|
||||
`_acme-challenge.<rel>` (`POST /api/v1/zones/{id}/records`), waits for
|
||||
propagation, and on cleanup deletes the record by id
|
||||
(`DELETE /api/v1/zones/{id}/records/{recordId}`).
|
||||
|
||||
The token is a real yeil session — revoking the app password (or
|
||||
hitting `/logout`) invalidates it cleanly.
|
||||
|
||||
Reference in New Issue
Block a user