a7f781e151
Replaced with appropriate punctuation (colons, commas, semicolons, periods) per grammatical context. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
certbot-dns-yeil
yeil DNS Authenticator plugin for Certbot.
Authenticates against dns.yeil.app's public API with an email and an
app password, then adds/removes TXT records to satisfy ACME DNS-01
challenges. Works for any yeil user with an owned DNS zone; the
certbot host just needs HTTPS reachability to dns.yeil.app.
Wildcard certs require DNS-01, so this plugin (or another DNS
authenticator) is needed for *.example.com.
Installation
pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
Configuration
Create an app password at https://account.yeil.app/security and
drop it into a credentials INI:
dns_yeil_email = you@yourdomain.com
dns_yeil_app_password = abcd-efgh-ijkl-mnop
chmod 600 it.
Optional override if you're testing against a non-production host:
dns_yeil_base_url = https://dns.staging.example
Usage
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d smtp.yeil.org \
--preferred-challenges dns
For wildcards:
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d yeil.org -d '*.yeil.org'
How it works
The plugin logs in once per run (POST /api/v1/auth/login) and caches
the returned Bearer token. For each requested name it asks the API
which zone the account owns that covers the FQDN
(GET /api/v1/zones?suffix_of=<fqdn>), creates a TXT at
_acme-challenge.<rel> (POST /api/v1/zones/{id}/records), waits for
propagation, and on cleanup deletes the record by id
(DELETE /api/v1/zones/{id}/records/{recordId}).
The token is a real yeil session; revoking the app password (or
hitting /logout) invalidates it cleanly.