It is possibe to use certbot as non-root user with a configuration set in
$HOME/.config/letsencrypt/cli.ini
where config-dir and work-dir and logs-dir can be set.

If this tool would read the credentials from a file inside $HOME, it can be readable only by user and certbot can be run without root privileges -what is good for multi-user systems like e.g. linux :)

Thanks for your attention.

The ACME validation system follows CNAME records - this allows to find a solution for problematic situations, e.g. when servers are not reachable from the public internet. You can define a CNAME for the _acme-challenge subdomain that points to a different domain and set the TXT record of that target domain instead of the original domain. This is also very helpful when you do not want to or can not access the nameserver of the original domain via an API.

Of course the ACME client has to understand that concept - so there needs to be a way to define that existing CNAME or the client has to be smart enough to follow that CNAME. Probably the easy quick fix would be to add some configuration option / parameter that allows to define the actual CNAME target domain to be updated instead of always using the domain defined by the -d parameter.

The acme.sh client has this feature implemented as DNS alias mode - that wiki entry explains the concept very well.

It would be very useful if you would like to support that feature so users of this software can do everything that is possible with LE and certbot without limitations.

Thank you very much for your attention!

Hi,

I'm using your Plugin on multiple Servers. On two its working fine, on one it's not.

I get the following error message: Could not connect to the inwx api
I need a tip how I can debug this.
Yes I already checked my login credentials, twice. I also made my password shorter just in case the plugin could not handle my fairly long password.

The Server I am having this trouble with is running in a different server farm, maybe its blocking the API call, but I think this is unlike - still if someone can tell me how I can test this... that would be very nice.

I think the TXT record is not published fast enough? Maybe the hook that sets the DNS record should wait until the DNS record shows up on the public internet?

Output:

$ /opt/letsencrypt/letsencrypt-auto certonly -n --agree-tos --email [email protected] --manual --preferred-challenges=dns --manual-auth-hook /usr/lib/letsencrypt-inwx/certbot-inwx-auth --manual-cleanup-hook /usr/lib/letsencrypt-inwx/certbot-inwx-cleanup --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory -d *.test.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.example.com
Output from certbot-inwx-auth:
Record has been created successfully.

Waiting for verification...
Cleaning up challenges
Output from certbot-inwx-cleanup:
Record has been deleted successfully.

Failed authorization procedure. test.example.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at _acme-challenge.test.example.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test.example.com
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.test.example.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Hi,

mostly the dns-01 challenge hangs for more than a minute, then I cancel it. When I randomly switch DNS server in the /etc/letsencrypt-inwx.json config (8.8.8.8, 9.9.9.9, 127.0.0.53), I sometimes get it working.

To understand the problem, which DNS server is letsencrypt using? Shouldn't the hook use the same server?

Publish it on crates.io?

I tried to issue a new cert with multiple domains on once.
I tried serveral times, always got this error on the same domain:

Output from certbot-inwx-auth:
Creating TXT record...

Hook command "/usr/lib/letsencrypt-inwx/certbot-inwx-auth" returned error code 1
Error output from certbot-inwx-auth:
=> Error: nameserver.list: Domain not found

After deleting some no longer used DNS entries manually it finally worked.
I see your code seems to handle up to 1000 entries, but does it really tho?
Not sure exactly but I think my threshhold was 25-30 entries for one domain.

Hello,

as far as I can see, 2fa is not supported, I get this error:
An inwx api call failed: The inwx api did return an error: method=nameserver.list, msg=Authentication error, reason=You need to unlock your account with your mobile TAN.

It would be nice if I could provide the sharedSecret of the Authenticator, and letsencrypt-inwx would automatically generate a code from that and use it to "unlock the account".

See:
https://github.com/inwx/php-client/blob/043244748b363a917a0c035da38d07ff01306d5e/src/Domrobot.php#L359
https://github.com/oGGy990/certbot-dns-inwx

3 months have passed and I am trying once again to renew my cert.

+ certbot -n --agree-tos renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/myTLD.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for myTLD.com
dns-01 challenge for myTLD.com
Running manual-auth-hook command: /usr/lib/letsencrypt-inwx/certbot-inwx-auth
Output from manual-auth-hook command certbot-inwx-auth:
Creating TXT record...

manual-auth-hook command "/usr/lib/letsencrypt-inwx/certbot-inwx-auth" returned error code 1
Error output from manual-auth-hook command certbot-inwx-auth:
=> Error: There is no nameserver for the specified domain

When I test the nameserver.list method with postman, I am getting 5 domains back. Exactly those I am trying to renew ;O So there is no paging issue this time ;)
Any ideas?

I've never used anything written in rust, so I was a bit surprised to see that it downloads 120 dependency packages. Is it possible to reduce this a bit?

$ du -sh .cargo/
139M    .cargo/

Preparing to unpack letsencrypt-inwx_1.0.0_amd64.deb ...
Unpacking letsencrypt-inwx (1.0.0) ...
dpkg: dependency problems prevent configuration of letsencrypt-inwx:
 letsencrypt-inwx depends on libgcc1 (>= 1:4.9.3); however:
  Version of libgcc1:amd64 on system is 1:4.9.2-10+deb8u1.

dpkg: error processing package letsencrypt-inwx (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 letsencrypt-inwx

I guess that cannot be fixed and I need to either upgrade to Debian 9 or build myself?

While it is cool, that you offer a Debian installer package, I think the first step should be offering prebuilt binaries that everyone can download and use.
Also you should link your binaries against the musl libc to produce static binaries. Linking against glibc will result in a dynamically linked binary:

$ ldd usr/bin/letsencrypt-inwx 
        linux-vdso.so.1 (0x00007fff60773000)
        libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f02cdae8000)
        libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f02cd668000)
        libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f02cd460000)
        librt.so.1 => /usr/lib/librt.so.1 (0x00007f02cd258000)
        libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f02cd038000)
        libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f02cce20000)
        libc.so.6 => /usr/lib/libc.so.6 (0x00007f02cca60000)
        /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007f02ce3f8000)
        libm.so.6 => /usr/lib/libm.so.6 (0x00007f02cc6c8000)

In my experience, ekidd/rust-musl-builder (docker) and japaric/trust are good starting points.

root@letsencrypt ~# ps auxw
USER      PID  %CPU %MEM    VSZ   RSS TT  STAT STARTED    TIME COMMAND
certbot 28367 100.0  0.2  68684 30524 13  R+J  15:36   3:01.71 /srv/letsencrypt/.cargo/bin/letsencrypt-inwx create -c /srv/letsencrypt/.config/letsencrypt-inwx-cred -d _acme-challenge.topsecret -v omitted

FreeBSD 11.1, rust v1.26.2