Browse Source

Merge pull request #341 from philfry/master

nsupdate
pull/387/head
neil 8 years ago
committed by GitHub
parent
commit
29d47c4de2
  1. 1
      README.md
  2. 5
      acme.sh
  3. 50
      dnsapi/README.md
  4. 60
      dnsapi/dns_nsupdate.sh

1
README.md

@ -256,6 +256,7 @@ You don't have do anything manually!
(DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.) (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
9. LuaDNS.com API 9. LuaDNS.com API
10. DNSMadeEasy.com API 10. DNSMadeEasy.com API
11. nsupdate
##### More APIs are coming soon... ##### More APIs are coming soon...

5
acme.sh

@ -3592,6 +3592,11 @@ _initconf() {
# #
#GD_Secret=\"sADDsdasdfsdfdssdgdsf\" #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
#######################
#nsupdate:
#NSUPDATE_KEY=\"/path/to/update.key\"
#NSUPDATE_SERVER=\"192.168.0.1\"
####################### #######################
#PowerDNS: #PowerDNS:
#PDNS_Url=\"http://ns.example.com:8081\" #PDNS_Url=\"http://ns.example.com:8081\"

50
dnsapi/README.md

@ -112,10 +112,60 @@ acme.sh --issue --dns dns_pdns -d example.com -d www.example.com
The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`. The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
## Use OVH/kimsufi/soyoustart/runabove API ## Use OVH/kimsufi/soyoustart/runabove API
https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
## Use nsupdate to automatically issue cert
First, generate a key for updating the zone
```
b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
cat > /etc/named/keys/update.key <<EOF
key "update" {
algorithm hmac-sha512;
secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
};
EOF
rm -f /tmp/$b.{private,key}
```
Include this key in your named configuration
```
include "/etc/named/keys/update.key";
```
Next, configure your zone to allow dynamic updates.
Depending on your named version, use either
```
zone "example.com" {
type master;
allow-update { key "update"; };
};
```
or
```
zone "example.com" {
type master;
update-policy {
grant update subdomain example.com.;
};
}
```
Finally, make the dns server and update key available to `acme.sh`
```
export NSUPDATE_SERVER=dns.example.com
export NSUPDATE_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
```
Ok, let's issue cert now:
```
acme.sh --issue --dns dns_nsupdate -d example.com -d www.example.com
```
The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf`.
# Use custom api # Use custom api
If your api is not supported yet, you can write your own dns api. If your api is not supported yet, you can write your own dns api.

60
dnsapi/dns_nsupdate.sh

@ -0,0 +1,60 @@
#!/usr/bin/env sh
######## Public functions #####################
#Usage: dns_nsupdate_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_nsupdate_add() {
fulldomain=$1
txtvalue=$2
_checkKeyFile || return 1
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
# save the dns server and key to the account conf file.
_saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
_saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
_info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
nsupdate -k "${NSUPDATE_KEY}" <<EOF
server ${NSUPDATE_SERVER}
update add ${fulldomain}. 60 in txt "${txtvalue}"
send
EOF
if [ $? -ne 0 ]; then
_err "error updating domain"
return 1
fi
return 0
}
#Usage: dns_nsupdate_rm _acme-challenge.www.domain.com
dns_nsupdate_rm() {
fulldomain=$1
_checkKeyFile || return 1
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
_info "removing ${fulldomain}. txt"
nsupdate -k "${NSUPDATE_KEY}" <<EOF
server ${NSUPDATE_SERVER}
update delete ${fulldomain}. txt
send
EOF
if [ $? -ne 0 ]; then
_err "error updating domain"
return 1
fi
return 0
}
#################### Private functions bellow ##################################
_checkKeyFile() {
if [ -z "${NSUPDATE_KEY}" ]; then
_err "you must specify a path to the nsupdate key file"
return 1
fi
if [ ! -r "${NSUPDATE_KEY}" ]; then
_err "key ${NSUPDATE_KEY} is unreadable"
return 1
fi
}
Loading…
Cancel
Save