Certbot DNS Authenticator plugin for Joker.
This Certbot plugin automates the
process of completing a dns-01
by creating (and removing) TXT records using
the Joker TXT record
API.
For each of your domains hosted using the Joker DNS server that would would like to obtain certificates for you must enable Dynamic DNS for the domain in the Joker web console. Do this by visiting your Joker Dashboard, clicking the "DNS" action for the domain you want to enable Dynamic DNS for, then ensuring that the "Dynamic DNS active" slider is turned on. A dialog should appear with the DynDNS username and password for that domain. These will be used in the credentials file described below.
pip install certbot-dns-joker
To use Joker DNS authentication, pass the following arguments on certbot's command line:
Option | Description |
---|---|
--authenticator dns-joker |
Select the Joker authenticator plugin. (required) |
--dns-joker-credentials credentials_file |
Full path to config file containing domain credentials. |
--dns-joker-propagation-seconds delay |
Delay between setting DNS TXT record and asking the ACME server to verify it. Default: 120 |
If you don't supply the credentials file on the certbot command line you will be prompted for its location.
You need to create a configuration file on your system (for example
/etc/letsencrypt/secrets/DOMAIN.ini
) that contains the per-domain secrets
that you obtained when you enabled DynDNS for your domain.
dns_joker_username = USERNAME
dns_joker_password = PASSWORD
dns_joker_domain = DOMAIN
certbot certonly \
--authenticator dns-joker \
--dns-joker-credentials /etc/letsencrypt/secrets/example.com.ini \
-d example.com -d '*.example.com'
This project has a PyPI page at https://pypi.org/project/certbot-dns-joker/.
I have built an RPM for CentOS 8, which is the platform I use. The Makefile
has an rpm
target that builds the RPM, but this has only been tested on
CentOS 8. In addition, the GitHub release contains an SRPM from which is
should be possible to build a new RPM on other RPM-based Linux distributions,
but again I have not tested this.
The Makefile has a docker-image
target to create a certbot docker image with
the certbot-dns-joker plugin installed. In addition if you set the
DOCKER_OTHER_PLUGINS makefile variable to a (space-separated) list of plugins
those plugins will also be installed.
Once the docker image is built you can run it with a command such as the following.
docker run --rm \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/log/letsencrypt:/var/log/letsencrypt \
--cap-drop=all \
certbot-joker \
certonly \
--authenticator dns-joker \
--dns-joker-propagation-seconds 900 \
--dns-joker-credentials /etc/letsencrypt/secrets/example.com.ini \
--no-self-upgrade \
--keep-until-expiring --non-interactive --expand \
--server https://acme-v02.api.letsencrypt.org/directory \
-d example.com -d '*.example.com'
Then you can run a command such as the following from cron to renew your certificates.
docker run --rm \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/log/letsencrypt:/var/log/letsencrypt \
--cap-drop=all \
certbot-joker \
renew
Note that plugins that attempt to do operations outside of the container (such as the apache plugin, which wants to run apachectl) will fail.
If you have existing conf files in /etc/letsencrypt/renewal
, you will need
to edit them to remove certbot-dns-joker:
from the authenticator
and
credentials lines.
perl -p -i.bak -e 's/certbot-dns-joker://;' /etc/letsencrypt/renewal/*.conf
This plugin is based in large part on Matthias Bilger's certbot-dns-ispconfig plugin and the certbot-dns-dnsimple plugin.