2ccd6d9f14
DNS-01 authenticator that walks up the labels of the validation name, calls findzone on the dns-server RPC to locate the registered parent zone, then addrecord/deleterecord around the TXT challenge. Auth is HTTP Basic with the shared rpc key (matches the protocol the yeil DNS web app uses in dns/src/lib/rpc.ts).
certbot-dns-yeil
yeil DNS Authenticator plugin for Certbot.
Talks to the yeil dns-server's RPC over HTTP Basic auth — the same RPC the yeil DNS web app uses. Use this on hosts that can reach the dns-server directly (NetBird-attached, typically). For internet-only clients, expose an HTTP API in front of the RPC and write a separate plugin against it.
Wildcard certs require DNS-01, so this plugin (or another DNS authenticator)
is needed for *.example.com.
Installation
pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
Configuration
The plugin reads yeil_rpc_url and yeil_rpc_key from a credentials INI.
dns_yeil_rpc_url = http://100.123.x.x:6969
dns_yeil_rpc_key = the-rpc-key-from-dns-server-config
chmod 600 it.
yeil_rpc_url is the URL of any one of the dns-server NSes — they share
the underlying Postgres so writes propagate either way.
Usage
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d smtp.yeil.org \
--preferred-challenges dns
For wildcards:
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d yeil.org -d '*.yeil.org'
How it works
For each requested name, the plugin walks up the labels and calls the
dns-server's findzone RPC until it finds the registered zone. It then
creates a TXT record at _acme-challenge.<rel> via addrecord, waits
for propagation, and on cleanup calls deleterecord with the saved
record id.