Add support for dns challenge #238
Conversation
|
Somewhat related - I've been using acme-tiny with this patch for several years - it runs a script after creating the HTTP challenge file, which lets me run acme-tiny on a different machine from the webserver (with the script syncing the challenge across). Looking at this pull request, it seems like it wouldn't be very hard to make --challenge-script work for that use case too... |
Since there is no single interface for administrating DNS servers a custom script (specified with --challenge-script) is called by acme_tiny.py. The script needs to support the following interface: challenge_script (--add|--remove) --domain DOMAIN TXTRECORD --add - add a TXT record --remove - remove a TXT record --domain DOMAIN - specify a domain name TXTRECORD - value of a TXT record to be added or removed
|
@steelman noticed a few problems while trying to get this to work. It may not make sense to specify the client whether to use dns-01 or http-01. It's the acme server's choice, whether they will give you a dns-01 or http-01 challenge. Specifically, I ran into this issue when trying to sign a server with Would you mind if I send a separate PR with these change suggestions? Or I could send them to your fork first, so you can merge there first, and then here afterwards, if you want to keep credit for the original idea? |
|
@allanrbo I developed the patch, because I needed a wildcard certificate and the patch works for me. I am glad you have found problems I haven't. Sure, send your PR to my fork I will accept it and update this request. |
| challenge = [c for c in authorization['challenges'] if c['type'] == "dns-01"][0] | ||
| token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token']) | ||
| keyauthorization = "{0}.{1}".format(token, thumbprint) | ||
| txtrecord = _b64(hashlib.sha256(keyauthorization).digest()) |
There was a problem hiding this comment.
This patch is very useful; thanks. I had to make the following change to get it working for me:
- txtrecord = _b64(hashlib.sha256(keyauthorization).digest())
+ txtrecord = _b64(hashlib.sha256(keyauthorization.encode('utf-8')).digest())
There was a problem hiding this comment.
Thanks. I have developed and worked on Python 2 which didn't differentiate between unicode strings and byte strings. Fixed.
|
Hi @steelman and @allanrbo do you have any update on this PR or event the other PR mentioned in this conversation ? Are you still using this script? Thanks for all the work put into this! |
Since there is no single interface for administrating DNS servers a custom
script (specified with --challenge-script) is called by acme_tiny.py. The
script needs to support the following interface:
challenge_script (--add|--remove) --domain DOMAIN TXTRECORD
--add - add a TXT record
--remove - remove a TXT record
--domain DOMAIN - specify a domain name
TXTRECORD - value of a TXT record to be added or removed