# certbot-dns-yeil

yeil DNS Authenticator plugin for [Certbot](https://certbot.eff.org/).

Authenticates against `dns.yeil.app`'s public API with an email and an
app password, then adds/removes TXT records to satisfy ACME DNS-01
challenges. Works for any yeil user with an owned DNS zone; the
certbot host just needs HTTPS reachability to `dns.yeil.app`.

Wildcard certs require DNS-01, so this plugin (or another DNS
authenticator) is needed for `*.example.com`.

## Installation

```sh
pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
```

## Configuration

Create an app password at `https://account.yeil.app/security` and
drop it into a credentials INI:

```ini
dns_yeil_email = you@yourdomain.com
dns_yeil_app_password = abcd-efgh-ijkl-mnop
```

`chmod 600` it.

Optional override if you're testing against a non-production host:

```ini
dns_yeil_base_url = https://dns.staging.example
```

## Usage

```sh
certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d smtp.yeil.org \
  --preferred-challenges dns
```

For wildcards:

```sh
certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d yeil.org -d '*.yeil.org'
```

## How it works

The plugin logs in once per run (`POST /api/v1/auth/login`) and caches
the returned Bearer token. For each requested name it asks the API
which zone the account owns that covers the FQDN
(`GET /api/v1/zones?suffix_of=<fqdn>`), creates a TXT at
`_acme-challenge.<rel>` (`POST /api/v1/zones/{id}/records`), waits for
propagation, and on cleanup deletes the record by id
(`DELETE /api/v1/zones/{id}/records/{recordId}`).

The token is a real yeil session; revoking the app password (or
hitting `/logout`) invalidates it cleanly.