Skip to content
This repository has been archived by the owner on May 2, 2021. It is now read-only.
/ acmetool-wapi-hook Public archive

Discontinued: This hook never worked very well and AcmeTool seems to be mostly abandoned. I encourage you to migrate to a better way to manage certificates: use CNAME delegation to (ideally) your own DNS server for ACME DNS-01 validation only, or use it to delegate to some other DNS provider that is natively supported by whichever client you use.

License

Notifications You must be signed in to change notification settings

Amunak/acmetool-wapi-hook

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AcmeTool WAPI Hook

This is an AcmeTool hook for Wedos's API (WAPI) for the DNS-01 ACME challenge.

It aims to support regular challenges (although there are faster/better verification methods for those) as well as wildcard certificate verification, including ones for subdomains (to be fair there's really no difference to regular challenges, but whatever).


Discontinued

This hook never worked very well and AcmeTool seems to be mostly abandoned by its author, so I wanted to migrate to something else, something more reliable and less ... wrong.

I would like to encourage you to migrate to a better way to manage certificates: use CNAME delegation (setting up records like _acme-challenge.example.com CNAME some.zone.example.net) to a dedicated DNS server that is for ACME DNS-01 validation only. You can easily set up bind9 to do this, or you can use dedicated software like acme-dns. This allows you to remotely, reliably and securely set records on a DNS server that - even if it were compromised - would not be of any use to the attacker. It can also make cert management easier since you only set up the CNAME records once and you can even point them to just one (sub)domain in the dedicated zone, so you are changing just one domain's TXT records instead of manipulating with actual, live domain.

If you don't feel like running your own DNS server you can instead use CNAME delegation to pass validation to some other provider that is natively supported by whichever ACME client you choose to use.

Personally I use bind9 for serving the TXT records, it only serves one zone and all CNAME records point to a subdomain in that zone. Then I use (nsupdate)[https://linux.die.net/man/8/nsupdate] as a client to update these TXT records through a simple hook for the Dehydrated ACME client. It's elegant, reliable, way faster and I can even set up multiple clients (with different credentials and access to different subdomains in that zone) to allow anyone to make certificates for their own domains and such.


Requirements

Pipenv further downloads dependencies specified in Pipfile.

Installation

  1. Install Pipenv if you don't have it yet: try your distribution's repositories or - if you have pip - run sudo pip install pipenv
  2. Clone this repository on your target system that's running AcmeTool
  3. Run pipenv install in the cloned directory to install dependencies
  4. Configure the script by copying config.ini.dist to config.ini and modify the variables there
  5. Symlink wedos_hook.sh - a wrapper script that runs the python script - into your AcmeTool Hooks directory (run sudo acmetool status to find its location)
  6. Optionally test that the script itself works by running it manually with ./wedos_hook.sh test (try ./wedos_hook.sh --help for more)

Example output of the test command

The test command tries all the steps the script does otherwise in one go, creating a TXT record at _test-challenge.<your-domain> with the API, then checking that it propagates to outside nameservers, and finally deletes this record.

If it finishes successfully you can be reasonably sure that the script works.

root@example:~# /etc/acme/hooks/wedos_hook.sh test -v example.cz
INFO:root:Domain "example.cz" extracted as example.cz (TLD cz, NO SUBDOMAIN)
INFO:root:Using account "root@example.cz"
INFO:root:Pinging API to make sure basic functionality works
INFO:root:Creating record
INFO:root:Checking for DNS record propagation for a maximum of 360 tries with 10s delays (for a total of 3600 seconds)
INFO:root:Match found after 14 tries (130 seconds)
INFO:root:Looking up records for deletion
INFO:root:Deleting row IDs: 1200
INFO:root:Test success

About

Discontinued: This hook never worked very well and AcmeTool seems to be mostly abandoned. I encourage you to migrate to a better way to manage certificates: use CNAME delegation to (ideally) your own DNS server for ACME DNS-01 validation only, or use it to delegate to some other DNS provider that is natively supported by whichever client you use.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published