diff --git a/Dockerfile b/Dockerfile index a54dfac..07f3b79 100755 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,8 @@ RUN \ g++ \ gcc \ libffi-dev \ + libxml2-dev \ + libxslt-dev \ openssl-dev \ python3-dev && \ echo "**** install runtime packages ****" && \ @@ -108,6 +110,7 @@ RUN \ certbot-dns-dnsmadeeasy \ certbot-dns-domeneshop \ certbot-dns-google \ + certbot-dns-he \ certbot-dns-hetzner \ certbot-dns-inwx \ certbot-dns-ionos \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 49b5d59..d7d6b95 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -18,6 +18,8 @@ RUN \ g++ \ gcc \ libffi-dev \ + libxml2-dev \ + libxslt-dev \ openssl-dev \ python3-dev && \ echo "**** install runtime packages ****" && \ @@ -108,6 +110,7 @@ RUN \ certbot-dns-dnsmadeeasy \ certbot-dns-domeneshop \ certbot-dns-google \ + certbot-dns-he \ certbot-dns-hetzner \ certbot-dns-inwx \ certbot-dns-ionos \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index a0b5052..8993073 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -18,6 +18,8 @@ RUN \ g++ \ gcc \ libffi-dev \ + libxml2-dev \ + libxslt-dev \ openssl-dev \ python3-dev && \ echo "**** install runtime packages ****" && \ @@ -108,6 +110,7 @@ RUN \ certbot-dns-dnsmadeeasy \ certbot-dns-domeneshop \ certbot-dns-google \ + certbot-dns-he \ certbot-dns-hetzner \ certbot-dns-inwx \ certbot-dns-ionos \ diff --git a/README.md b/README.md index 9953cdb..1fa8570 100644 --- a/README.md +++ b/README.md @@ -213,7 +213,7 @@ Container images are configured using parameters passed at runtime (such as thos | `-e VALIDATION=http` | Certbot validation method to use, options are `http`, `dns` or `duckdns` (`dns` method also requires `DNSPLUGIN` variable set) (`duckdns` method requires `DUCKDNSTOKEN` variable set, and the `SUBDOMAINS` variable must be either empty or set to `wildcard`). | | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only) | | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. | -| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. | +| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. | | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. | | `-e DUCKDNSTOKEN=` | Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org | | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). | @@ -332,6 +332,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **06.10.21:** - Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps. * **01.10.21:** - Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration * **19.09.21:** - Add an optional header to opt out of Google FLoC in `ssl.conf`. * **17.09.21:** - Mark `SUBDOMAINS` var as optional. diff --git a/readme-vars.yml b/readme-vars.yml index 9054d24..b1421a2 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -51,7 +51,7 @@ opt_param_usage_include_env: true opt_param_env_vars: - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this _exactly_ to `wildcard` (wildcard cert is available via `dns` and `duckdns` validation only)" } - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." } - - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `hetzner`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." } + - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `aliyun`, `cloudflare`, `cloudxns`, `cpanel`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `domeneshop`, `gandi`, `gehirn`, `google`, `he`, `hetzner`, `inwx`, `ionos`, `linode`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `rfc2136`, `route53`, `sakuracloud`, `transip` and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." } - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." } - { env_var: "DUCKDNSTOKEN", env_value: "", desc: "Required if `VALIDATION` is set to `duckdns`. Retrieve your token from https://www.duckdns.org" } - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." } @@ -155,6 +155,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "06.10.21:", desc: "Added support for Hurricane Electric (HE) DNS validation. Added lxml build deps." } - { date: "01.10.21:", desc: "Check if the cert uses the old LE root cert, revoke and regenerate if necessary. [Here's more info](https://twitter.com/letsencrypt/status/1443621997288767491) on LE root cert expiration" } - { date: "19.09.21:", desc: "Add an optional header to opt out of Google FLoC in `ssl.conf`." } - { date: "17.09.21:", desc: "Mark `SUBDOMAINS` var as optional." } diff --git a/root/defaults/dns-conf/he.ini b/root/defaults/dns-conf/he.ini new file mode 100644 index 0000000..b3898d8 --- /dev/null +++ b/root/defaults/dns-conf/he.ini @@ -0,0 +1,4 @@ +# Instructions: https://github.com/TSaaristo/certbot-dns-he#example-usage +# Replace with your values +dns_he_user = Me +dns_he_pass = my HE password diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index 19e347a..2407b73 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -236,7 +236,7 @@ if [ "$VALIDATION" = "dns" ]; then elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|hetzner|inwx|ionos|netcup|njalla|transip|vultr)$ ]]; then + elif [[ "$DNSPLUGIN" =~ ^(aliyun|domeneshop|he|hetzner|inwx|ionos|netcup|njalla|transip|vultr)$ ]]; then if [ -n "$PROPAGATION" ];then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then