pwaring / dehydrated-djbdns Goto Github PK

Although the dnsutil code is now in a separate file, it is still coupled to the hook script. It needs to be made fully generic, which includes:

1. Removing any calls to print.
2. Change verify_challenge so that it will verify an arbitrary TXT record (provided via a parameter).

The module should also include whatever configuration is necessary so that it can be installed using pip.

The code for checking whether a given TXT record (or indeed any record) exists on all the authoritative nameservers for a host is generic and not specific to djbdns. Splitting it off into a separate module would allow this functionality to be used in other hook scripts in the future, e.g. to support other DNS servers or providers.

At present the process is to fetch and verify each challenge sequentially. This works, but does result in delays whilst the script waits for DNS changes to make their way to all the nameservers for a domain (one delay per domain). A better solution for multiple domain requests would be to obtain all the challenges, upload them all to the nameservers and then verify them all. This would result in only one 'upload delay', regardless of the number of domains.

letsencrypt.sh can support this functionality, as outlined here:

dehydrated-io/dehydrated#168

So it is a matter of changing the logic in the hook script to process all the challenges to support this behaviour. It can safely be made the default too, as it will speed things up for all cases other than a single domain certificate (which will be unchanged).

Instead of printing records to the screen, offer the option to write them to a file and run a command via a hook script. This would allow the certificate request process to be fully automated. For example:

1. Write record to zone file.
2. rsync record to DNS provider.
3. Check for authoritative nameserver responses (as currently).

Although this would not speed up the process, as the script would still have to wait for responses, it would allow users to start the script running and then move on to working on something else, instead of needing to keep going back to check for output.

Writing the DNS records to a file would also avoid copy & paste errors which can occur in the current process.

Ideally the script would also remove the DNS entries afterwards, as they are not required after the certificate has been issued.

Hi,

Thanks for sharing this. During testing I got an unexpected failure when letsencrypt.sh passed a challenge that contained a hyphen ("-") as the first character and argparse interpreted it as a named argument instead of a positional argument

usage: hook.py [-h] [action] [domain] [token] [challenge] [extra [extra ...]]
hook.py: error: unrecognized arguments: -{redacted by ehuggett}

The solution I stumbled across is to change the default prefix in argparse for options from "-" to anything else not used in the base64url (?) encoded challenge, I chose "@". Inelegant but does work so far

argparse.ArgumentParser(prefix_chars='@')

At the moment, several configuration options are hardcoded into the hook script. These need to be moved to a configuration file, using the configparser module.

Configuration options required:

• TunnelHost: Host to tunnel an rsync connection through (required for Bytemark's content DNS as uploads must originate from a Bytemark IP).
• TunnelUsername: Username for the SSH tunnel.
• RsyncUsername: Equivalent of RSYNC_USERNAME in the upload script.
• RsyncPassword: Equivalent of RSYNC_PASSWORD in the upload script.