Yeil/certbot-dns-yeil
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
456f034efb14768b2a4a7b37d3baa33356c87628
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
eskimo 456f034efb v2: authenticate via app password + use dns.yeil.app public API 
Replaces direct dns-server RPC calls (admin shared key, NetBird-only
reachability) with calls to the public /api/v1 surface. The plugin
now logs in with an email + app password, caches the returned Bearer
for the run, then findZone/addRecord/deleteRecord through HTTPS.
Any yeil user with an owned DNS zone can use it from anywhere with
internet access — no more shared key, no NetBird requirement.

INI shape:
  dns_yeil_email = you@yourdomain.com
  dns_yeil_app_password = abcd-efgh-ijkl-mnop
  # dns_yeil_base_url = https://dns.yeil.app  (optional override)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 14:46:22 -04:00
certbot_dns_yeil
v2: authenticate via app password + use dns.yeil.app public API
2026-05-11 14:46:22 -04:00
README.md
v2: authenticate via app password + use dns.yeil.app public API
2026-05-11 14:46:22 -04:00
setup.py
v2: authenticate via app password + use dns.yeil.app public API
2026-05-11 14:46:22 -04:00

README.md

certbot-dns-yeil

yeil DNS Authenticator plugin for Certbot.

Authenticates against dns.yeil.app's public API with an email and an app password, then adds/removes TXT records to satisfy ACME DNS-01 challenges. Works for any yeil user with an owned DNS zone — the certbot host just needs HTTPS reachability to dns.yeil.app.

Wildcard certs require DNS-01, so this plugin (or another DNS authenticator) is needed for *.example.com.

Installation

pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git

Configuration

Create an app password at https://account.yeil.app/security and drop it into a credentials INI:

dns_yeil_email = you@yourdomain.com
dns_yeil_app_password = abcd-efgh-ijkl-mnop

chmod 600 it.

Optional override if you're testing against a non-production host:

dns_yeil_base_url = https://dns.staging.example

Usage

certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d smtp.yeil.org \
  --preferred-challenges dns

For wildcards:

certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d yeil.org -d '*.yeil.org'

How it works

The plugin logs in once per run (POST /api/v1/auth/login) and caches the returned Bearer token. For each requested name it asks the API which zone the account owns that covers the FQDN (GET /api/v1/zones?suffix_of=<fqdn>), creates a TXT at _acme-challenge.<rel> (POST /api/v1/zones/{id}/records), waits for propagation, and on cleanup deletes the record by id (DELETE /api/v1/zones/{id}/records/{recordId}).

The token is a real yeil session — revoking the app password (or hitting /logout) invalidates it cleanly.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 38 KiB
Languages
Python 100%