ethauvin / namesilo-letsencrypt Goto Github PK

Automatically generate/renew Let's Encrypt certificates with Certbot on NameSilo DNS

License: BSD 3-Clause "New" or "Revised" License

Python 92.94% Shell 7.06%

certbot certificate dns dns-01 namesilo hook letsencrypt letsencrypt-certificates lets-encrypt letsencrypt-cli

namesilo-letsencrypt's Introduction

NameSilo Let's Encrypt

Python scripts (hook) to automate obtaining Let's Encrypt certificates, using Certbot DNS-01 challenge validation for domains DNS hosted on NameSilo.

Setup

Using Package Manager

For users of Fedora & RHEL, you can install this COPR package, packaged by @cyqsimon.
Feel free to package this repo for other OSes; then please submit a PR to reference it here.

Manual Install

The scripts use the tldextract and untangle libraries, if not already installed on your system:

pip install tldextract untangle

Download the latest release archive and expand it in the desired directory.

Configuration

Add your NameSilo API key to the top of the config.py file:

# Get your API Key from: https://www.namesilo.com/account/api-manager
apikey = "YOUR_API_KEY"

Alternatively, the API key can be set in the NAMESILO_API environment variable.

Using with Certbot

To issue or renew a certificate using the hook scripts, try something like:

certbot certonly --manual --email [email protected] \
--agree-tos --manual-public-ip-logging-ok \
--preferred-challenges=dns \
--manual-auth-hook /path/to/authenticator.py \
--manual-cleanup-hook /path/to/cleanup.py \
-d *.example.com -d example.com

Please note that NameSilo DNS propagation takes up to 15 minutes. The scripts will wait 25 minutes before completing, just to be safe.

namesilo-letsencrypt's People

Stargazers

Watchers

Forkers

andrcmdr junker 546967312 kbore dotran swipswaps jasmineamber netplus sundrawp jfining zeioth mryalamanchi-am hedwig34 armszhou super-a-pair hlzhang shendlcode cyqsimon

namesilo-letsencrypt's Issues

Using the script with GitLab CI/CD

Hello,

First of all, I appreciate the work you have put into the script, so thank you!

I managed to run it with GitLab CI/CD, as I believe @Zeioth has done (I put my .gitlab-ci.yml settings at the bottom of this post) but I had questions regarding the next steps after successful completion of the script:

How can I actually save the fullchain.pem and privkey.pem that cerbot generates if I'm running a venv on GitLab?
My site is also hosted on NameSilo. Would I need to manually insert the certificate details in my cPanel each time I run the script? Are you also hosting your site with this provider and have you managed to automate this process somehow?

I would appreciate any guidance at all, thank you so much in advance.

image: python:latest

stages:
  - build
  - test
  - deploy

variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"

cache:
  paths:
    - .cache/pip
    - venv/

before_script:
  - pip install virtualenv
  - virtualenv venv
  - source venv/bin/activate

install:
  stage: build
  script:
    - pip install tldextract untangle
    - pip install certbot

renew:
  stage: test
  script:
    - chmod +x ./authenticator.py
    - chmod +x ./cleanup.py
    - certbot certonly -v --manual --email [email protected] --agree-tos --manual-public-ip-logging-ok --preferred-challenges=dns --manual-auth-hook ./authenticator.py --manual-cleanup-hook ./cleanup.py -d *.xyz.com -d xyz.com

success:
  stage: deploy
  script:
    - echo "SSL certificate renewed succesfully!"

Files in latest namesilo-letsencrypt-0.9.2.tar.gz are in DOS format. certbot run fails

Hi there -
While trying to figure out why I was getting the following errors when running the certbot command, I realized the files contained in the 0.9.2 tar.gz are in DOS format.

root@i7:~/namesilo-letsencrypt-0.9.2# ./doit.sh 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.masked
dns-01 challenge for domain.masked
Running manual-auth-hook command: /root/namesilo-letsencrypt-0.9.2/authenticator.py
manual-auth-hook command "/root/namesilo-letsencrypt-0.9.2/authenticator.py" returned error code 127
Error output from manual-auth-hook command authenticator.py:
/bin/sh: 1: /root/namesilo-letsencrypt-0.9.2/authenticator.py: not found

Running manual-auth-hook command: /root/namesilo-letsencrypt-0.9.2/authenticator.py
manual-auth-hook command "/root/namesilo-letsencrypt-0.9.2/authenticator.py" returned error code 127
Error output from manual-auth-hook command authenticator.py:
/bin/sh: 1: /root/namesilo-letsencrypt-0.9.2/authenticator.py: not found

Waiting for verification...
Challenge failed for domain domain.masked
Challenge failed for domain domain.masked
dns-01 challenge for domain.masked
dns-01 challenge for domain.masked
Cleaning up challenges
Running manual-cleanup-hook command: /root/namesilo-letsencrypt-0.9.2/cleanup.py
manual-cleanup-hook command "/root/namesilo-letsencrypt-0.9.2/cleanup.py" returned error code 127
Error output from manual-cleanup-hook command cleanup.py:
/bin/sh: 1: /root/namesilo-letsencrypt-0.9.2/cleanup.py: not found

Running manual-cleanup-hook command: /root/namesilo-letsencrypt-0.9.2/cleanup.py
manual-cleanup-hook command "/root/namesilo-letsencrypt-0.9.2/cleanup.py" returned error code 127
Error output from manual-cleanup-hook command cleanup.py:
/bin/sh: 1: /root/namesilo-letsencrypt-0.9.2/cleanup.py: not found

Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.masked
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.domain.masked - check that a DNS record exists for
   this domain

   Domain: domain.masked
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.domain.masked - check that a DNS record exists for
   this domain
root@i7:~/namesilo-letsencrypt-0.9.2# 
root@i7:~/namesilo-letsencrypt-0.9.2# cat doit.sh 
certbot certonly --staging --manual --email [email protected] \
  --agree-tos --manual-public-ip-logging-ok \
  --preferred-challenges=dns \
  --manual-auth-hook /root/namesilo-letsencrypt-0.9.2/authenticator.py \
  --manual-cleanup-hook /root/namesilo-letsencrypt-0.9.2/cleanup.py \
  -d *.domain.masked -d domain.masked
root@i7:~/namesilo-letsencrypt-0.9.2# 

root@i7:~/new/namesilo-letsencrypt-0.9.2# cksum *
1979043218 3311 authenticator.py
2915655169 1050 CHANGELOG.md
82618259 3112 cleanup.py
1942701120 151 config.py
3311993660 1536 LICENSE.txt
2424547664 1771 README.md
root@i7:~/new/namesilo-letsencrypt-0.9.2# dos2unix *
dos2unix: converting file authenticator.py to Unix format...
dos2unix: converting file CHANGELOG.md to Unix format...
dos2unix: converting file cleanup.py to Unix format...
dos2unix: converting file config.py to Unix format...
dos2unix: converting file LICENSE.txt to Unix format...
dos2unix: converting file README.md to Unix format...
root@i7:~/new/namesilo-letsencrypt-0.9.2# cksum *
2874061085 3215 authenticator.py
2915655169 1050 CHANGELOG.md
3936447672 3029 cleanup.py
1879213304 147 config.py
4010482586 1509 LICENSE.txt
1108605589 1725 README.md
root@i7:~/new/namesilo-letsencrypt-0.9.2#

Do not support multiple _acme-challenge records

If you have more than one record script failed.

Thank you message

Hey thank you so much for making this. Using your repo I've been able to create an scheduled job on GitLab and now I don't need to care about SSL ever again.

Invalid API key

Hiya,
I'm trying to use this but I'm getting the following:

Requesting a certificate for *.example.org and example.org
Hook '--manual-auth-hook' for example.org reported error code 1
Hook '--manual-auth-hook' for example.org ran with error output:
example.org Invalid API Key (Permission denied) (110)
Hook '--manual-auth-hook' for example.org reported error code 1
Hook '--manual-auth-hook' for example.org ran with error output:
example.org Invalid API Key (Permission denied) (110)

The API key has been generated and placed within config.py, it has no IP restrictions.

COPR package

Thanks for the good work. Kinda saved my arse when I found out Namesilo does not support NS records on a subdomain, which precludes spinning up a local dnsmasq instance for the challenge which is what I normally do.

Anyways, personally I do not like installing software unmanaged, so I packaged this thing on Fedora COPR for Fedora and RHEL over here. Makes life a bit easier for me and other people on these OSes.

This issue is just to let you know; feel free to put this info in README (or not, it's your project 😁).