# certbot-dns-yeil

yeil DNS Authenticator plugin for [Certbot](https://certbot.eff.org/).

Talks to the yeil dns-server's RPC over HTTP Basic auth — the same RPC the
yeil DNS web app uses. Use this on hosts that can reach the dns-server
directly (NetBird-attached, typically). For internet-only clients, expose
an HTTP API in front of the RPC and write a separate plugin against it.

Wildcard certs require DNS-01, so this plugin (or another DNS authenticator)
is needed for `*.example.com`.

## Installation

```sh
pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
```

## Configuration

The plugin reads `yeil_rpc_url` and `yeil_rpc_key` from a credentials INI.

```ini
dns_yeil_rpc_url = http://100.123.x.x:6969
dns_yeil_rpc_key = the-rpc-key-from-dns-server-config
```

`chmod 600` it.

`yeil_rpc_url` is the URL of any one of the dns-server NSes — they share
the underlying Postgres so writes propagate either way.

## Usage

```sh
certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d smtp.yeil.org \
  --preferred-challenges dns
```

For wildcards:

```sh
certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d yeil.org -d '*.yeil.org'
```

## How it works

For each requested name, the plugin walks up the labels and calls the
dns-server's `findzone` RPC until it finds the registered zone. It then
creates a TXT record at `_acme-challenge.<rel>` via `addrecord`, waits
for propagation, and on cleanup calls `deleterecord` with the saved
record id.