• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

DNS ACME challenge. (Let's encrypt validation)

Started by finalbeta, April 13, 2016, 01:43:01 PM

Previous topic - Next topic

PJSalt

Yeah, I also don't like having to store the login credentials of the account in a file like that. A system with an API key would be much better.

Even better would be if we could also limit what the API key can do and assign rights to it. For example: only create/edit/remove TXT records. So that when somebody unauthorized gets a hold of the API key that they can't do too much damage by for example changing A/AAAA records and such.

PJSalt

#16
Any updates on this? Now that Let's Encrypt has officially launched their v2 API with wildcard support (which only works with the dns-01 challenge method by the way), it would be nice if dns.he.net had an API as well.

TemiD

+1 for Let's Encrypt and API integration. Cloudflare supported the api, but I moved to he.net for the ipv6 cert course. I use a wildcard for my network and manually renewing certs is going to bite.

beneckema

+1 i like to use an scripted dns-01 challange, so it would be great to use the API like the "dynamic" A and AAAA Records

mkbloke

+1 for an API supporting TXT records to make Let's Encrypt easy.

Ian

wrtpoona


FostWare

+1 for API that doesn't require removing 2FA

Vazhnov

As I see on title page:

Quote
We're looking into implementing:

  • Expanding our DDNS service to support TXT records
  • ...

Updated 11.28.2018

But still no news...

matth1187

 I would've used it if it was available however, someone paranoid convinced me it may be a good idea to keep acme challenges on a separate provider of your main, assuming he, domain. in case your API key /pass gets compromised.

i found luadns.com to be noobishly easy to use and is default supported provider by most acme programs (is mentioned on LE website as a provider easily integrated, free). in addition to API it has a slick gui. create a zone like acme.domain.com. point some ns records from he to there. Then use cname in he. _acme-challenge.www.domain.com-> luadns, www.acme.domain.com. now can be automated and no messing with port 80. HTH!


jvandenbroek

#24
Was looking for this and found out that it's now actually possible to set DDNS for a TXT record. Just needed some trial and error to get it working:

curl -k https://dyn.dns.he.net/nic/update -d "hostname=_acme-challenge.mydomain.com" -d "password=mypassword" -d "txt=somevalue"

Com DAC

found that ddns is now possible for txt records (YAY). The things I'm unable to figure out now is how to update the records if you have two of the same txt records? For example if you have a Let's Encrypt certificate for *.domain.ext and domain.ext then you need two txt entries _acme-challenge.domain.ext and _acme-challenge.domain.ext. I can do this manually but when I setup the entries to be dynamic I'm only able to update the last one I updated with a password. Does anyone know if there is a trick for this situation or if this part isn't implemented yet?

matthiaspfaller

Quote from: Com DAC on August 02, 2020, 04:38:47 PM
found that ddns is now possible for txt records (YAY). The things I'm unable to figure out now is how to update the records if you have two of the same txt records? For example if you have a Let's Encrypt certificate for *.domain.ext and domain.ext then you need two txt entries _acme-challenge.domain.ext and _acme-challenge.domain.ext. I can do this manually but when I setup the entries to be dynamic I'm only able to update the last one I updated with a password. Does anyone know if there is a trick for this situation or if this part isn't implemented yet?

While the new feature is neat, it just doesn't help us. In order for this to be really use full, we would need to be able to create new ddns txt records without the web interface. But its a very nice fist step.

regards, Matthias

tjeske

I know that a dedicated API call would be nice. But I am sure some mediocre programmer is able to code some python module for that :)

rill

Quote from: jvandenbroek on July 20, 2020, 05:02:41 AM
Was looking for this and found out that it's now actually possible to set DDNS for a TXT record. Just needed some trial and error to get it working:

curl -k https://dyn.dns.he.net/nic/update -d "hostname=_acme-challenge.mydomain.com" -d "password=mypassword" -d "txt=somevalue"

This works. Only one thing needed for this.
There is an optional parameter for `DDNS` feature to each dns record on the UI. You need to active this feature then generate a secret for that. Use this secret as password in the above command.

pmarks

I tried adding the new dynamic TXT API to acme.sh, but the problem is that it cannot support multiple TXT records under the same name, for cases like this:

./acme.sh --staging --issue --dns dns_he_dyntxt -d 'test1.he.example.com' -d '*.test1.he.example.com'

Here is my code, but I think it's fundamentally too broken to upstream it:


$ cat dnsapi/dns_he_dyntxt.sh
#!/usr/bin/env sh

########################################################################
# Hurricane Electric hook script for acme.sh, with simple dynamic TXT API.
#
# Unlike dns_he.sh, this script does not use your full account password,
# but all _acme-challenge TXT records must be created manually, and these
# records must share the same DDNS key.
#
# Environment variables:
#
#  - $HE_DynTXT_Key - DDNS key for all _acme-challenge TXT records
#

HE_DynTXT_Api="https://dyn.dns.he.net"

########  Public functions #####################

#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_he_dyntxt_add() {
  fulldomain=$1
  txtvalue=$2

  HE_DynTXT_Key="${HE_DynTXT_Key:-$(_readaccountconf_mutable HE_DynTXT_Key)}"

  if [ -z "$HE_DynTXT_Key" ]; then
    HE_DynTXT_Key=""
    _err "You did not specify HE_DynTXT_Key."
    _err "Please log into https://dns.he.net/, create a TXT record for '$fulldomain', and generate a DDNS key."
    _err "The same key should be shared among all TXT records managed by this script."
    _err ""
    return 1
  fi

  #save the DDNS key to the account conf file.
  _saveaccountconf_mutable HE_DynTXT_Key "$HE_DynTXT_Key"

  _info "Updating record $fulldomain"
  if _he_dyntxt_rest POST "nic/update" "hostname=$fulldomain&password=$HE_DynTXT_Key&txt=$txtvalue"; then
    if _contains "$response" "good"; then
      _info "Updated, OK"
      return 0
    elif _contains "$response" "badauth"; then
      _err "TXT record $fulldomain does not exist, or incorrect DDNS key"
      return 1
    fi
  fi
  _err "Update TXT record error."
  return 1
}

#fulldomain txtvalue
dns_he_dyntxt_rm() {
  fulldomain=$1
  txtvalue='""' # Just clear the TXT record.

  HE_DynTXT_Key="${HE_DynTXT_Key:-$(_readaccountconf_mutable HE_DynTXT_Key)}"

  _info "Clearing record $fulldomain"
  if _he_dyntxt_rest POST "nic/update" "hostname=$fulldomain&password=$HE_DynTXT_Key&txt=$txtvalue"; then
    if _contains "$response" "good"; then
      _info "Cleared, OK"
      return 0
    elif _contains "$response" "badauth"; then
      _err "TXT record $fulldomain does not exist, or incorrect DDNS key"
      return 1
    fi
  fi
  _err "Clearing TXT record error."
  return 1
}

#####################  Private functions below ##################################

_he_dyntxt_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"

  if [ "$m" = "POST" ]; then
    _debug data "$data"
    response="$(_post "$data" "$HE_DynTXT_Api/$ep" "" "$m")"
  else
    _err "unimplemented method: $m"
    return 1
  fi

  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
}