├── .gitignore ├── .pylintrc ├── .sonarcloud.properties ├── .travis.yml ├── LICENSE ├── README.md ├── certbot_dns_acmedns ├── __init__.py ├── dns_acmedns.py └── dns_acmedns_test.py ├── docker-compose.yml ├── linter_plugin.py ├── setup.cfg ├── setup.py └── test ├── Dockerfile ├── Dockerfile.setup ├── acmedns-server ├── config.cfg └── data │ └── acme-dns.db └── e2e_test.sh /.gitignore: -------------------------------------------------------------------------------- 1 | **/__pycache__/ 2 | *.egg-info 3 | env 4 | venv 5 | .venv 6 | .idea 7 | .coveralls.yml 8 | test/data/* 9 | .vscode -------------------------------------------------------------------------------- /.pylintrc: -------------------------------------------------------------------------------- 1 | [MASTER] 2 | 3 | # use as many jobs as there are cores 4 | jobs=0 5 | 6 | # Specify a configuration file. 7 | #rcfile= 8 | 9 | # Python code to execute, usually for sys.path manipulation such as 10 | # pygtk.require(). 11 | #init-hook= 12 | 13 | # Profiled execution. 14 | profile=no 15 | 16 | # Add files or directories to the blacklist. They should be base names, not 17 | # paths. 18 | ignore=CVS 19 | 20 | # Pickle collected data for later comparisons. 21 | persistent=yes 22 | 23 | # List of plugins (as comma separated values of python modules names) to load, 24 | # usually to register additional checkers. 25 | load-plugins=linter_plugin 26 | 27 | # A comma-separated list of package or module names from where C extensions may 28 | # be loaded. Extensions are loading into the active Python interpreter and may 29 | # run arbitrary code. 30 | extension-pkg-whitelist=pywintypes,win32api,win32file,win32security 31 | 32 | 33 | [MESSAGES CONTROL] 34 | 35 | # Enable the message, report, category or checker with the given id(s). You can 36 | # either give multiple identifier separated by comma (,) or put this option 37 | # multiple time. See also the "--disable" option for examples. 38 | #enable= 39 | 40 | # Disable the message, report, category or checker with the given id(s). You 41 | # can either give multiple identifiers separated by comma (,) or put this 42 | # option multiple times (only on the command line, not in the configuration 43 | # file where it should appear only once).You can also use "--disable=all" to 44 | # disable everything first and then reenable specific checks. For example, if 45 | # you want to run only the similarities checker, you can use "--disable=all 46 | # --enable=similarities". If you want to run only the classes checker, but have 47 | # no Warning level messages displayed, use"--disable=all --enable=classes 48 | # --disable=W" 49 | # CERTBOT COMMENT 50 | # 1) Once certbot codebase is claimed to be compatible exclusively with Python 3, 51 | # the useless-object-inheritance check can be enabled again, and code fixed accordingly. 52 | # 2) Check unsubscriptable-object tends to create a lot of false positives. Let's disable it. 53 | # See https://github.com/PyCQA/pylint/issues/1498. 54 | # 3) Same as point 2 for no-value-for-parameter. 55 | # See https://github.com/PyCQA/pylint/issues/2820. 56 | disable=fixme,locally-disabled,locally-enabled,bad-continuation,no-self-use,invalid-name,cyclic-import,duplicate-code,design,import-outside-toplevel,useless-object-inheritance,unsubscriptable-object,no-value-for-parameter,no-else-return,no-else-raise,no-else-break,no-else-continue 57 | 58 | [REPORTS] 59 | 60 | # Set the output format. Available formats are text, parseable, colorized, msvs 61 | # (visual studio) and html. You can also give a reporter class, eg 62 | # mypackage.mymodule.MyReporterClass. 63 | output-format=text 64 | 65 | # Put messages in a separate file for each module / package specified on the 66 | # command line instead of printing them on stdout. Reports (if any) will be 67 | # written in a file name "pylint_global.[txt|html]". 68 | files-output=no 69 | 70 | # Tells whether to display a full report or only the messages 71 | reports=yes 72 | 73 | # Python expression which should return a note less than 10 (10 is the highest 74 | # note). You have access to the variables errors warning, statement which 75 | # respectively contain the number of errors / warnings messages and the total 76 | # number of statements analyzed. This is used by the global evaluation report 77 | # (RP0004). 78 | evaluation=10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10) 79 | 80 | # Add a comment according to your evaluation note. This is used by the global 81 | # evaluation report (RP0004). 82 | comment=no 83 | 84 | # Template used to display messages. This is a python new-style format string 85 | # used to format the message information. See doc for all details 86 | #msg-template= 87 | 88 | 89 | [BASIC] 90 | 91 | # Required attributes for module, separated by a comma 92 | required-attributes= 93 | 94 | # List of builtins function names that should not be used, separated by a comma 95 | bad-functions=map,filter,apply,input,file 96 | 97 | # Good variable names which should always be accepted, separated by a comma 98 | good-names=f,i,j,k,ex,Run,_,fd,logger 99 | 100 | # Bad variable names which should always be refused, separated by a comma 101 | bad-names=foo,bar,baz,toto,tutu,tata 102 | 103 | # Colon-delimited sets of names that determine each other's naming style when 104 | # the name regexes allow several styles. 105 | name-group= 106 | 107 | # Include a hint for the correct naming format with invalid-name 108 | include-naming-hint=no 109 | 110 | # Regular expression matching correct function names 111 | function-rgx=[a-z_][a-z0-9_]{2,40}$ 112 | 113 | # Naming hint for function names 114 | function-name-hint=[a-z_][a-z0-9_]{2,40}$ 115 | 116 | # Regular expression matching correct variable names 117 | variable-rgx=[a-z_][a-z0-9_]{1,30}$ 118 | 119 | # Naming hint for variable names 120 | variable-name-hint=[a-z_][a-z0-9_]{2,30}$ 121 | 122 | # Regular expression matching correct constant names 123 | const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$ 124 | 125 | # Naming hint for constant names 126 | const-name-hint=(([A-Z_][A-Z0-9_]*)|(__.*__))$ 127 | 128 | # Regular expression matching correct attribute names 129 | attr-rgx=[a-z_][a-z0-9_]{2,30}$ 130 | 131 | # Naming hint for attribute names 132 | attr-name-hint=[a-z_][a-z0-9_]{2,30}$ 133 | 134 | # Regular expression matching correct argument names 135 | argument-rgx=[a-z_][a-z0-9_]{2,30}$ 136 | 137 | # Naming hint for argument names 138 | argument-name-hint=[a-z_][a-z0-9_]{2,30}$ 139 | 140 | # Regular expression matching correct class attribute names 141 | class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ 142 | 143 | # Naming hint for class attribute names 144 | class-attribute-name-hint=([A-Za-z_][A-Za-z0-9_]{2,30}|(__.*__))$ 145 | 146 | # Regular expression matching correct inline iteration names 147 | inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$ 148 | 149 | # Naming hint for inline iteration names 150 | inlinevar-name-hint=[A-Za-z_][A-Za-z0-9_]*$ 151 | 152 | # Regular expression matching correct class names 153 | class-rgx=[A-Z_][a-zA-Z0-9]+$ 154 | 155 | # Naming hint for class names 156 | class-name-hint=[A-Z_][a-zA-Z0-9]+$ 157 | 158 | # Regular expression matching correct module names 159 | module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ 160 | 161 | # Naming hint for module names 162 | module-name-hint=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$ 163 | 164 | # Regular expression matching correct method names 165 | method-rgx=[a-z_][a-z0-9_]{2,50}$ 166 | 167 | # Naming hint for method names 168 | method-name-hint=[a-z_][a-z0-9_]{2,50}$ 169 | 170 | # Regular expression which should only match function or class names that do 171 | # not require a docstring. 172 | no-docstring-rgx=(__.*__)|(test_[A-Za-z0-9_]*)|(_.*)|(.*Test$) 173 | 174 | # Minimum line length for functions/classes that require docstrings, shorter 175 | # ones are exempt. 176 | docstring-min-length=-1 177 | 178 | 179 | [MISCELLANEOUS] 180 | 181 | # List of note tags to take in consideration, separated by a comma. 182 | notes=FIXME,XXX,TODO 183 | 184 | 185 | [LOGGING] 186 | 187 | # Logging modules to check that the string format arguments are in logging 188 | # function parameter format 189 | logging-modules=logging,logger 190 | 191 | 192 | [VARIABLES] 193 | 194 | # Tells whether we should check for unused import in __init__ files. 195 | init-import=no 196 | 197 | # A regular expression matching the name of dummy variables (i.e. expectedly 198 | # not used). 199 | dummy-variables-rgx=(unused)?_.*|dummy 200 | 201 | # List of additional names supposed to be defined in builtins. Remember that 202 | # you should avoid to define new builtins when possible. 203 | additional-builtins= 204 | 205 | 206 | [SIMILARITIES] 207 | 208 | # Minimum lines number of a similarity. 209 | min-similarity-lines=6 210 | 211 | # Ignore comments when computing similarities. 212 | ignore-comments=yes 213 | 214 | # Ignore docstrings when computing similarities. 215 | ignore-docstrings=yes 216 | 217 | # Ignore imports when computing similarities. 218 | ignore-imports=yes 219 | 220 | 221 | [FORMAT] 222 | 223 | # Maximum number of characters on a single line. 224 | max-line-length=100 225 | 226 | # Regexp for a line that is allowed to be longer than the limit. 227 | ignore-long-lines=^\s*(# )??$ 228 | 229 | # Allow the body of an if to be on the same line as the test if there is no 230 | # else. 231 | single-line-if-stmt=no 232 | 233 | # List of optional constructs for which whitespace checking is disabled 234 | no-space-check=trailing-comma 235 | 236 | # Maximum number of lines in a module 237 | max-module-lines=1250 238 | 239 | # String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 240 | # tab). 241 | indent-string=' ' 242 | 243 | # Number of spaces of indent required inside a hanging or continued line. 244 | # This does something silly/broken... 245 | #indent-after-paren=4 246 | 247 | 248 | [TYPECHECK] 249 | 250 | # Tells whether missing members accessed in mixin class should be ignored. A 251 | # mixin class is detected if its name ends with "mixin" (case insensitive). 252 | ignore-mixin-members=yes 253 | 254 | # List of module names for which member attributes should not be checked 255 | # (useful for modules/projects where namespaces are manipulated during runtime 256 | # and thus existing member attributes cannot be deduced by static analysis 257 | ignored-modules=pkg_resources,confargparse,argparse,six.moves,six.moves.urllib 258 | # import errors ignored only in 1.4.4 259 | # https://bitbucket.org/logilab/pylint/commits/cd000904c9e2 260 | 261 | # List of classes names for which member attributes should not be checked 262 | # (useful for classes with attributes dynamically set). 263 | ignored-classes=Field,Header,JWS,closing 264 | 265 | # When zope mode is activated, add a predefined set of Zope acquired attributes 266 | # to generated-members. 267 | zope=yes 268 | 269 | # List of members which are set dynamically and missed by pylint inference 270 | # system, and so shouldn't trigger E0201 when accessed. Python regular 271 | # expressions are accepted. 272 | generated-members=REQUEST,acl_users,aq_parent 273 | 274 | 275 | [IMPORTS] 276 | 277 | # Deprecated modules which should not be used, separated by a comma 278 | deprecated-modules=regsub,TERMIOS,Bastion,rexec 279 | 280 | # Create a graph of every (i.e. internal and external) dependencies in the 281 | # given file (report RP0402 must not be disabled) 282 | import-graph= 283 | 284 | # Create a graph of external dependencies in the given file (report RP0402 must 285 | # not be disabled) 286 | ext-import-graph= 287 | 288 | # Create a graph of internal dependencies in the given file (report RP0402 must 289 | # not be disabled) 290 | int-import-graph= 291 | 292 | 293 | [CLASSES] 294 | 295 | # List of interface methods to ignore, separated by a comma. This is used for 296 | # instance to not check methods defined in Zope's Interface base class. 297 | ignore-iface-methods=isImplementedBy,deferred,extends,names,namesAndDescriptions,queryDescriptionFor,getBases,getDescriptionFor,getDoc,getName,getTaggedValue,getTaggedValueTags,isEqualOrExtendedBy,setTaggedValue,isImplementedByInstancesOf,adaptWith,is_implemented_by,implementedBy,providedBy 298 | 299 | # List of method names used to declare (i.e. assign) instance attributes. 300 | defining-attr-methods=__init__,__new__,setUp 301 | 302 | # List of valid names for the first argument in a class method. 303 | valid-classmethod-first-arg=cls 304 | 305 | # List of valid names for the first argument in a metaclass class method. 306 | valid-metaclass-classmethod-first-arg=mcs 307 | 308 | 309 | [EXCEPTIONS] 310 | 311 | # Exceptions that will emit a warning when being caught. Defaults to 312 | # "Exception" 313 | overgeneral-exceptions=Exception 314 | -------------------------------------------------------------------------------- /.sonarcloud.properties: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-net-security/certbot-dns-acmedns/1a02e2b175afb0b2f9b449943fcc626a02b94d6d/.sonarcloud.properties -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | 3 | services: 4 | - docker 5 | 6 | python: 7 | # PyPy versions 8 | - "3.5" 9 | - "3.7" 10 | - "pypy3.5" 11 | 12 | install: 13 | - pip install python-coveralls pylint 14 | - pip install . 15 | 16 | # run tests 17 | script: 18 | - PYTHONPATH=${PWD} pylint certbot_dns_acmedns/ 19 | - pytest -v 20 | - pip install . 21 | - COMPOSE_PROJECT_NAME="certbotacmedns_$TRAVIS_JOB_ID" docker-compose run setup 22 | - sleep 5 23 | - docker build -t certbot_acmedns_client -f test/Dockerfile test/ 24 | - docker run -it --rm --network "certbotacmedns_${TRAVIS_JOB_ID}_default" --dns "10.151.40.100" -v $PWD:/certbot-dns-acmedns certbot_acmedns_client sh -c 'pip3 install -e /certbot-dns-acmedns && /certbot-dns-acmedns/test/e2e_test.sh' 25 | 26 | after_script: 27 | - COMPOSE_PROJECT_NAME="certbotpdns_$TRAVIS_JOB_ID" docker-compose down 28 | 29 | jobs: 30 | include: 31 | - stage: deploy 32 | script: skip 33 | install: skip 34 | deploy: 35 | provider: pypi 36 | user: $PYPI_USERNAME 37 | password: $PYPI_PASSWORD 38 | on: 39 | tags: true 40 | 41 | after_success: 42 | - coveralls 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status](https://travis-ci.com/pan-net-security/certbot-dns-acmedns.svg?branch=master)](https://travis-ci.com/pan-net-security/certbot-dns-acmedns) 2 | [![Coverage Status](https://coveralls.io/repos/github/pan-net-security/certbot-dns-acmedns/badge.svg?branch=master)](https://coveralls.io/github/pan-net-security/certbot-dns-acmedns?branch=master) 3 | ![Libraries.io dependency status for latest release](https://img.shields.io/librariesio/release/github/pan-net-security/certbot-dns-acmedns.svg) 4 | [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=pan-net-security_certbot-dns-acmedns&metric=alert_status)](https://sonarcloud.io/dashboard?id=pan-net-security_certbot-dns-acmedns) 5 | ![PyPI - Status](https://img.shields.io/pypi/status/certbot-dns-acmedns.svg) 6 | ![PyPI - Python Version](https://img.shields.io/pypi/pyversions/certbot-dns-acmedns.svg) 7 | 8 | 9 | certbot-dns-acmedns 10 | ============ 11 | 12 | ACME-DNS DNS Authenticator plugin for [Certbot](https://certbot.eff.org/). 13 | 14 | ACME-DNS is a simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges. Explaining details of ACME-DNS is not part of this repo, we assume you have running ACME-DNS server. To understand what ACME-DNS is and for details on how to run/use ACME-DNS server see [ACME-DNS repo.](https://github.com/joohoi/acme-dns) 15 | 16 | This plugin is built from the ground up and follows the development style and life-cycle 17 | of other `certbot-dns-*` plugins found in the individual directories of the 18 | [Official Certbot Repository](https://github.com/certbot/certbot). 19 | 20 | For general information about Certbot plugin development see [Certbot developer documentation.](https://certbot.eff.org/docs/contributing.html#plugin-architecture) 21 | 22 | 23 | Installation 24 | ------------ 25 | 26 | ``` 27 | pip install --upgrade certbot 28 | pip install certbot-dns-acmedns 29 | ``` 30 | 31 | Verify: 32 | 33 | ``` 34 | $ certbot plugins --text 35 | 36 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37 | * certbot-dns-acmedns:dns-acmedns 38 | Description: Obtain certificates using a DNS TXT record (if you are using 39 | ACME-DNS for DNS.) 40 | Interfaces: IAuthenticator, IPlugin 41 | Entry point: dns-acmedns = certbot_dns_acmedns.dns_acmedns:Authenticator 42 | 43 | ... 44 | ... 45 | ``` 46 | 47 | Configuration 48 | ------------- 49 | 50 | The (certbot) credentials file e.g. `acmedns-credentials.ini` should look like this: 51 | 52 | ``` 53 | # cat acmedns-credentials.ini 54 | certbot_dns_acmedns:dns_acmedns_api_url = http://acmedns-server/ 55 | certbot_dns_acmedns:dns_acmedns_registration_file = /etc/certbot/acme-registration.json 56 | ``` 57 | 58 | This plugin **does not do ACME-DNS registration** and you are responsible to make 59 | sure `/etc/certbot/acme-registration.json` (in the example above) contains 60 | the registration data in the following format: 61 | 62 | ``` 63 | # cat /etc/certbot/acme-registration.json 64 | { 65 | "something.acme.com": { 66 | "username": "6e14735c-2c6a-447e-b63d-a23ac4438bd7", 67 | "password": "dd6gnYS-IxrQfDLbdPRX3hrFhS_SLrwbS0kSl_i8", 68 | "fulldomain": "3b750a0e-c627-423f-9966-4799c6a9533b.auth.example.org", 69 | "subdomain": "3b750a0e-c627-423f-9966-4799c6a9533b", 70 | "allowfrom": [] 71 | } 72 | } 73 | ``` 74 | 75 | This format is the same as the one used in some other tools, e.g. 76 | [cert-manager ACME-DNS plugin](https://cert-manager.io/docs/configuration/acme/dns01/acme-dns/) 77 | 78 | Usage 79 | ----- 80 | 81 | 82 | ``` 83 | certbot ... \ 84 | --authenticator certbot-dns-acmedns:dns-acmedns \ 85 | --certbot-dns-acmedns:dns-acmedns-credentials /etc/certbot/acmedns-credentials.ini \ 86 | certonly 87 | ``` 88 | 89 | FAQ 90 | ----- 91 | 92 | ##### Why such long name for a plugin? 93 | 94 | This follows the upstream nomenclature: `certbot-dns-`. 95 | 96 | ##### Why do I have to use `:` separator in the name? And why are the configuration file parameters so weird? 97 | 98 | This is a limitation of the Certbot interface towards _third-party_ plugins. 99 | 100 | For details read the discussions: 101 | 102 | - https://github.com/certbot/certbot/issues/6504#issuecomment-473462138 103 | - https://github.com/certbot/certbot/issues/6040 104 | - https://github.com/certbot/certbot/issues/4351 105 | - https://github.com/certbot/certbot/pull/6372 106 | 107 | Development 108 | ----------- 109 | 110 | Create a virtualenv, install the plugin (`editable` mode), 111 | spawn the environment and run the test: 112 | 113 | ### Prepare the support environment: 114 | ``` 115 | docker-compose up -d 116 | ``` 117 | 118 | You can also omit `-d` if you wish to see backend server logs side-by-side with 119 | the client. 120 | 121 | ### Run certbot client 122 | ``` 123 | docker build -t certbot_acmedns_client -f test/Dockerfile test/ 124 | docker run -it --rm --network certbot-dns-acmedns_default --dns "10.151.40.100" -v $PWD:/certbot-dns-acmedns certbot_acmedns_client sh -c 'pip3 install -e /certbot-dns-acmedns && /certbot-dns-acmedns/test/e2e_test.sh' 125 | ``` 126 | 127 | 128 | License 129 | -------- 130 | 131 | Apache License Version 2.0, January 2004 132 | 133 | 134 | Authors 135 | ------- 136 | 137 | [DT Pan-Net s.r.o](https://github.com/pan-net-security) 138 | -------------------------------------------------------------------------------- /certbot_dns_acmedns/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | """Let's Encrypt ACME-DNS plugin""" 5 | 6 | # import inspect 7 | # 8 | # # https://github.com/certbot/certbot/issues/6504#issuecomment-473462138 9 | # # https://github.com/certbot/certbot/issues/6040 10 | # # https://github.com/certbot/certbot/issues/4351 11 | # # https://github.com/certbot/certbot/pull/6372 12 | # def _patch(): 13 | # for frame_obj, filename, line, func, _, _ in inspect.stack(): 14 | # if func == '__init__' 15 | # and frame_obj.f_locals['self'].__class__.__name__ == 'PluginEntryPoint': 16 | # frame_obj.f_locals['self'].name = frame_obj.f_locals['entry_point'].name 17 | # module_name = frame_obj.f_locals['entry_point'].dist.key 18 | # pre_free_dist = frame_obj.f_locals['self'].PREFIX_FREE_DISTRIBUTIONS 19 | # if module_name not in pre_free_dist: 20 | # pre_free_dist.append(module_name) 21 | # 22 | # _patch() 23 | -------------------------------------------------------------------------------- /certbot_dns_acmedns/dns_acmedns.py: -------------------------------------------------------------------------------- 1 | """DNS Authenticator for ACME-DNS.""" 2 | 3 | import json 4 | import logging 5 | 6 | import zope.interface 7 | from certbot import interfaces 8 | from certbot import errors 9 | 10 | from certbot.plugins import dns_common 11 | 12 | from pyacmedns import Client, Storage 13 | 14 | 15 | 16 | logger = logging.getLogger(__name__) 17 | 18 | @zope.interface.implementer(interfaces.IAuthenticator) 19 | @zope.interface.provider(interfaces.IPluginFactory) 20 | class Authenticator(dns_common.DNSAuthenticator): 21 | """DNS Authenticator for ACME-DNS DNS.""" 22 | 23 | description = 'Obtain certificates using a DNS TXT record ' + \ 24 | '(if you are using ACME-DNS for DNS.)' 25 | 26 | def __init__(self, *args, **kwargs): 27 | super(Authenticator, self).__init__(*args, **kwargs) 28 | self.credentials = None 29 | self.ttl = 60 30 | 31 | @classmethod 32 | def add_parser_arguments(cls, add): # pylint: disable=arguments-differ 33 | super(Authenticator, cls).add_parser_arguments(add) 34 | add('credentials', help='ACMEDNS Certbot credentials INI file.') 35 | 36 | def more_info(self): # pylint: disable=missing-docstring,no-self-use 37 | return 'This plugin configures a DNS TXT record to respond to a dns-01 challenge using ' + \ 38 | 'ACME-DNS API' 39 | 40 | def _validate_credentials(self, credentials): 41 | if not credentials.conf('api-url'): 42 | raise errors.PluginError('{0}: ACME-DNS API URL not provided.' 43 | .format(self.conf('credentials'))) 44 | try: 45 | dns_common.validate_file_permissions(credentials.conf('registration-file')) 46 | except TypeError: 47 | raise errors.PluginError('Path invalid or file not found.') 48 | 49 | def _setup_credentials(self): 50 | self._configure_file('credentials', 51 | 'Absolute path to ACME-DNS credentials file') 52 | 53 | dns_common.validate_file_permissions(self.conf('credentials')) 54 | 55 | self.credentials = self._configure_credentials( 56 | 'credentials', 57 | 'ACME-DNS Certbot credentials file', 58 | { 59 | 'api-url': 'ACME-DNS-compatible API URL', 60 | 'registration-file': 'JSON file containing ACME-DNS registrations' 61 | } 62 | ) 63 | 64 | self.credentials = self._configure_credentials('credentials', 65 | 'Absolute path to ACME-DNS credentials file', 66 | None, 67 | self._validate_credentials) 68 | 69 | def _perform(self, domain, validation_name, validation): 70 | self._get_acmedns_client().add_txt_record(validation_name, validation) 71 | 72 | def _cleanup(self, domain, validation_name, validation): 73 | self._get_acmedns_client().del_txt_record(validation_name) 74 | 75 | def _get_acmedns_client(self): 76 | return _AcmeDNSClient( 77 | api_url=self.credentials.conf('api-url'), 78 | credentials_file=self.credentials.conf('registration-file'), 79 | ttl=self.ttl 80 | ) 81 | 82 | class _AcmeDNSClient(object): 83 | """ 84 | Encapsulates all communication with the ACME-DNS server. 85 | """ 86 | 87 | def __init__(self, api_url, credentials_file, ttl): 88 | super(_AcmeDNSClient, self).__init__() 89 | 90 | self.credentials_file = credentials_file 91 | self.ttl = ttl 92 | self.client = Client(api_url) 93 | self.account = None 94 | 95 | def add_txt_record(self, record_name, record_content): # pylint: disable=missing-docstring 96 | self._load_credentials(self._get_domain(record_name)) 97 | self.client.update_txt_record(self.account, record_content) 98 | 99 | def del_txt_record(self, record_name): # pylint: disable=missing-docstring, unused-argument 100 | return 101 | 102 | def _get_domain(self, validation_name): 103 | ACME_CHALLENGE_PREFIX = "_acme-challenge." 104 | if isinstance(validation_name, str): 105 | if validation_name.startswith(ACME_CHALLENGE_PREFIX): 106 | return validation_name[len(ACME_CHALLENGE_PREFIX):] 107 | return "" 108 | 109 | def _validate_registration_file(self): 110 | # registration_file here is the JSON file containing as key the domain 111 | # and as value the response returned during ACME-DNS registration 112 | # { 113 | # "something.acme.com": { 114 | # "username": "eabcdb41-d89f-4580-826f-3e62e9755ef2", 115 | # "password": "pbAXVjlIOE01xbut7YnAbkhMQIkcwoHO0ek2j4Q0", 116 | # "fulldomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example.org", 117 | # "subdomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf", 118 | # "allowfrom": [] 119 | # }, 120 | # "foo.bar.com": { 121 | # "username": "64570f82-d5ca-4839-8306-c4e392d8ae82", 122 | # "password": "bkhMQIkcwoHO0ek2j4Q0pbAXVjlIOE01xbut7YnA", 123 | # "fulldomain": "179adbde-4a06-4f47-af17-1c250106fb9f.auth.example.org", 124 | # "subdomain": "179adbde-4a06-4f47-af17-1c250106fb9f", 125 | # "allowfrom": [] 126 | # } 127 | # } 128 | try: 129 | with open(self.credentials_file) as json_file: 130 | try: 131 | credentials_data = json.load(json_file) 132 | if len(credentials_data.keys()) == 0: 133 | raise errors.PluginError('{}: ACME-DNS registration file is empty?' 134 | .format(self.credentials_file)) 135 | 136 | cred_items = ['username', 'password', 'fulldomain', 'subdomain', 'allowfrom'] 137 | for i in credentials_data.keys(): 138 | if i in cred_items: 139 | raise errors.PluginError('{}: appears to not contain domain as key. ' 140 | 'Make sure the JSON is a dictionary and each ' 141 | 'where the key is the domain and the value is ' 142 | 'the ACME-DNS registration returned for that ' 143 | 'domain.' 144 | .format(self.credentials_file)) 145 | except json.JSONDecodeError: 146 | raise errors.PluginError('{}: unable to parse json file. Make ' 147 | 'sure it\'s a valid json file' 148 | .format(self.credentials_file)) 149 | except IOError as e: 150 | raise errors.PluginError('{}: I/O error' 151 | .format(self.credentials_file)) 152 | except: #handle other exceptions such as attribute errors 153 | raise errors.PluginError('{}: Unexpected error while opening file.' 154 | .format(self.credentials_file)) 155 | 156 | def _load_credentials(self, domain): 157 | storage = Storage(self.credentials_file) 158 | 159 | self.account = storage.fetch(domain) 160 | 161 | if not self.account: 162 | raise errors.PluginError('Unable to find a domain in ' + 163 | self.credentials_file + ' matching "' + 164 | domain + '"') 165 | -------------------------------------------------------------------------------- /certbot_dns_acmedns/dns_acmedns_test.py: -------------------------------------------------------------------------------- 1 | """Tests for certbot_dns_acmedns.dns_acmedns""" 2 | 3 | import unittest 4 | import json 5 | import tempfile 6 | 7 | import mock 8 | 9 | import certbot.compat.os as os 10 | from certbot.compat import filesystem 11 | from certbot import errors 12 | from certbot.plugins import dns_test_common 13 | from certbot.plugins.dns_test_common import DOMAIN 14 | from certbot.tests import util as test_util 15 | 16 | ACMEDNS_REGISTRATION = {"something.acme.com": { 17 | "username": "eabcdb41-d89f-4580-826f-3e62e9755ef2", 18 | "password": "pbAXVjlIOE01xbut7YnAbkhMQIkcwoHO0ek2j4Q0", 19 | "fulldomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example.org", 20 | "subdomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf", 21 | "allowfrom": [] 22 | }} 23 | 24 | ACMEDNS_URL = 'http://127.0.0.1:14441' 25 | 26 | 27 | class AuthenticatorTest(test_util.TempDirTestCase, 28 | dns_test_common.BaseAuthenticatorTest): 29 | 30 | def setUp(self): 31 | from certbot_dns_acmedns.dns_acmedns import Authenticator 32 | 33 | super(AuthenticatorTest, self).setUp() 34 | 35 | self.reg_file = os.path.join(self.tempdir, 'acmedns-registration.json') 36 | with open(self.reg_file, 'w') as fp: 37 | json.dump(ACMEDNS_REGISTRATION, fp) 38 | filesystem.chmod(self.reg_file, 0o600) 39 | 40 | path = os.path.join(self.tempdir, 'certbot-acmedns-credentials.ini') 41 | 42 | dns_test_common.write( 43 | {"acmedns_api_url": ACMEDNS_URL, 44 | "acmedns_registration_file": self.reg_file}, 45 | path 46 | ) 47 | 48 | self.config = mock.MagicMock(acmedns_credentials=path, 49 | acmedns_propagation_seconds=0) # don't wait during tests 50 | 51 | self.auth = Authenticator(self.config, "acmedns") 52 | 53 | self.mock_client = mock.MagicMock() 54 | # _get_acmedns_client | pylint: disable=protected-access 55 | self.auth._get_acmedns_client = mock.MagicMock(return_value=self.mock_client) 56 | 57 | def test_perform(self): 58 | self.auth.perform([self.achall]) 59 | 60 | expected = [mock.call.add_txt_record("_acme-challenge." + 61 | DOMAIN, mock.ANY)] 62 | self.assertEqual(expected, self.mock_client.mock_calls) 63 | 64 | def test_cleanup(self): 65 | # _attempt_cleanup | pylint: disable=protected-access 66 | self.auth._attempt_cleanup = True 67 | self.auth.cleanup([self.achall]) 68 | 69 | expected = [mock.call.del_txt_record("_acme-challenge." + 70 | DOMAIN)] 71 | self.assertEqual(expected, self.mock_client.mock_calls) 72 | 73 | def test_no_credentials(self): 74 | dns_test_common.write({}, self.config.acmedns_credentials) 75 | self.assertRaises(errors.PluginError, 76 | self.auth.perform, 77 | [self.achall]) 78 | 79 | def test_missing_api_url(self): 80 | dns_test_common.write( 81 | {"acmedns_registration_file": self.reg_file}, 82 | self.config.acmedns_credentials 83 | ) 84 | 85 | self.assertRaises(errors.PluginError, 86 | self.auth.perform, 87 | [self.achall]) 88 | 89 | def test_registration_file_path(self): 90 | dns_test_common.write( 91 | {"acmedns_registration_file": self.reg_file}, 92 | self.config.acmedns_credentials 93 | ) 94 | 95 | self.assertRaises(errors.PluginError, 96 | self.auth.perform, 97 | [self.achall]) 98 | 99 | 100 | class AcmeDNSClientTest(unittest.TestCase): 101 | 102 | TTL = 0 103 | 104 | def setUp(self): 105 | from certbot_dns_acmedns.dns_acmedns import _AcmeDNSClient 106 | 107 | self.fake_client = mock.MagicMock() 108 | 109 | self.ACMEDNS_REGISTRATION_FILE = tempfile.NamedTemporaryFile() 110 | with open(self.ACMEDNS_REGISTRATION_FILE.name, 'w') as fp: 111 | json.dump(ACMEDNS_REGISTRATION, fp) 112 | 113 | filesystem.chmod(self.ACMEDNS_REGISTRATION_FILE.name, 0o600) 114 | 115 | self.acmedns_client = _AcmeDNSClient( 116 | api_url=ACMEDNS_URL, 117 | credentials_file=self.ACMEDNS_REGISTRATION_FILE.name, 118 | ttl=self.TTL 119 | ) 120 | 121 | self.acmedns_client.client = self.fake_client 122 | 123 | def tearDown(self): 124 | # Close the file, the directory will be removed after the test 125 | self.ACMEDNS_REGISTRATION_FILE.close() 126 | 127 | def test_add_txt_record(self): 128 | self.assertEqual(self.acmedns_client.add_txt_record('_acme-challenge.something.acme.com', 129 | mock.ANY), None) 130 | 131 | def test_del_txt_record(self): 132 | self.assertEqual(self.acmedns_client.del_txt_record('_acme-challenge.something.acme.com'), 133 | None) 134 | 135 | def test_missing_credentials(self): 136 | self.assertRaises(errors.PluginError, 137 | self.acmedns_client.add_txt_record, 138 | '_acme-challenge.anotherdomain.acme.com', mock.ANY) 139 | 140 | def test_missing_domain_in_registration(self): 141 | MISSING_DOMAIN = { 142 | "username": "eabcdb41-d89f-4580-826f-3e62e9755ef2", 143 | "password": "pbAXVjlIOE01xbut7YnAbkhMQIkcwoHO0ek2j4Q0", 144 | "fulldomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf.auth.example.org", 145 | "subdomain": "d420c923-bbd7-4056-ab64-c3ca54c9b3cf", 146 | "allowfrom": [] 147 | } 148 | with open(self.ACMEDNS_REGISTRATION_FILE.name, 'w+') as fp: 149 | json.dump(MISSING_DOMAIN, fp) 150 | 151 | self.assertRaises(errors.PluginError, 152 | self.acmedns_client.add_txt_record, 153 | "mock.ANY", mock.ANY) 154 | 155 | 156 | if __name__ == "__main__": 157 | unittest.main() # pragma: no cover 158 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | networks: 3 | default: 4 | driver: bridge 5 | ipam: 6 | driver: default 7 | config: 8 | - subnet: 10.151.40.0/24 9 | services: 10 | pebble: 11 | image: letsencrypt/pebble:v2.0.0 12 | command: pebble -config /test/config/pebble-config.json -strict -dnsserver 10.151.40.100:53 13 | ports: 14 | # HTTPS ACME API 15 | - 14000:14000 16 | # volumes: 17 | # - ./test/config:/test/config 18 | environment: 19 | - PEBBLE_WFE_NONCEREJECT=0 20 | networks: 21 | default: 22 | ipv4_address: 10.151.40.2 23 | dns: 24 | - 10.151.40.100 25 | recursor: 26 | image: pschiffe/pdns-recursor:alpine 27 | environment: 28 | PDNS_forward_zones: "auth.example.org=10.151.40.10, acme.com=10.151.40.3" 29 | PDNS_loglevel: 9 30 | networks: 31 | default: 32 | ipv4_address: 10.151.40.100 33 | # ports: 34 | # - "8053:53" 35 | # - "8053:53/udp" 36 | acmedns: 37 | image: joohoi/acme-dns:latest 38 | networks: 39 | default: 40 | ipv4_address: 10.151.40.10 41 | dns: 42 | - 10.151.40.100 43 | depends_on: 44 | - recursor 45 | # ports: 46 | # - "443:443" 47 | # - "53:53" 48 | # - "53:53/udp" 49 | # - "80:80" 50 | volumes: 51 | - ./test/acmedns-server:/etc/acme-dns:ro 52 | - ./test/acmedns-server/data:/var/lib/acme-dns 53 | pdns: 54 | image: psitrax/powerdns:v4.2.0 55 | command: 56 | - "--api" 57 | - "--api-key=secret" 58 | - "--webserver" 59 | - "--webserver-address=0.0.0.0" 60 | - "--webserver-allow-from=0.0.0.0/0" 61 | - "--loglevel=10" 62 | environment: 63 | MYSQL_USER: root 64 | MYSQL_PASS: secret 65 | networks: 66 | default: 67 | ipv4_address: 10.151.40.3 68 | depends_on: 69 | - mysql 70 | - recursor 71 | # ports: 72 | # - "8081:8081" 73 | # # - "8053:53" 74 | # # - "8053:53/udp" 75 | dns: 76 | - 10.151.40.100 77 | mysql: 78 | image: mariadb:10.4.7-bionic 79 | networks: 80 | default: 81 | ipv4_address: 10.151.40.4 82 | environment: 83 | MYSQL_ROOT_PASSWORD: secret 84 | dns: 85 | - 10.151.40.100 86 | depends_on: 87 | - recursor 88 | setup: 89 | build: 90 | context: ./test/ 91 | dockerfile: Dockerfile.setup 92 | networks: 93 | default: 94 | ipv4_address: 10.151.40.200 95 | dns: 96 | - 10.151.40.100 97 | depends_on: 98 | - pdns 99 | - recursor 100 | - pebble 101 | - acmedns 102 | command: 103 | - sh 104 | - -c 105 | - | 106 | # check if pdns is ready 107 | while true; do 108 | echo "Checking if PDNS is up and responding ... " 109 | if curl -s -f http://pdns:8081/api -H "X-API-Key: secret"; then 110 | break 111 | fi 112 | sleep 1 113 | done 114 | # check if pebble is ready 115 | while true; do 116 | echo "Checking if Pebble is up and responding ... " 117 | if curl -s -k -f https://pebble:14000/dir; then 118 | break 119 | fi 120 | sleep 1 121 | done 122 | # check if acmedns is ready 123 | while true; do 124 | echo "Checking if ACME-DNS is up and responding ... " 125 | if curl -s -f http://acmedns/health; then 126 | break 127 | fi 128 | sleep 1 129 | done 130 | curl -s -X POST http://pdns:8081/api/v1/servers/localhost/zones \ 131 | -d '{"name": "acme.com.", "kind": "Native", "soa_edit_api": "", "nameservers": ["ns1.acme.com."]}' \ 132 | -H "X-API-Key: secret" 133 | curl -s -X POST http://pdns:8081/api/v1/servers/localhost/zones \ 134 | -d '{"name": "in-addr.arpa.", "kind": "Native", "nameservers": ["ns1.acme.com."]}' \ 135 | -H "X-API-Key: secret" -------------------------------------------------------------------------------- /linter_plugin.py: -------------------------------------------------------------------------------- 1 | """ 2 | Certbot PyLint plugin. 3 | 4 | The built-in ImportChecker of Pylint does a similar job to ForbidStandardOsModule to detect 5 | deprecated modules. You can check its behavior as a reference to what is coded here. 6 | See https://github.com/PyCQA/pylint/blob/b20a2984c94e2946669d727dbda78735882bf50a/pylint/checkers/imports.py#L287 7 | See http://docs.pylint.org/plugins.html 8 | """ 9 | from pylint.checkers import BaseChecker 10 | from pylint.interfaces import IAstroidChecker 11 | 12 | # Modules in theses packages can import the os module. 13 | WHITELIST_PACKAGES = ['acme', 'certbot_compatibility_test', 'letshelp_certbot', 'lock_test'] 14 | 15 | 16 | class ForbidStandardOsModule(BaseChecker): 17 | """ 18 | This checker ensures that standard os module (and submodules) is not imported by certbot 19 | modules. Otherwise an 'os-module-forbidden' error will be registered for the faulty lines. 20 | """ 21 | __implements__ = IAstroidChecker 22 | 23 | name = 'forbid-os-module' 24 | msgs = { 25 | 'E5001': ( 26 | 'Forbidden use of os module, certbot.compat.os must be used instead', 27 | 'os-module-forbidden', 28 | 'Some methods from the standard os module cannot be used for security reasons on Windows: ' 29 | 'the safe wrapper certbot.compat.os must be used instead in Certbot.' 30 | ) 31 | } 32 | priority = -1 33 | 34 | def visit_import(self, node): 35 | os_used = any(name for name in node.names if name[0] == 'os' or name[0].startswith('os.')) 36 | if os_used and not _check_disabled(node): 37 | self.add_message('os-module-forbidden', node=node) 38 | 39 | def visit_importfrom(self, node): 40 | if node.modname == 'os' or node.modname.startswith('os.') and not _check_disabled(node): 41 | self.add_message('os-module-forbidden', node=node) 42 | 43 | 44 | def register(linter): 45 | """Pylint hook to auto-register this linter""" 46 | linter.register_checker(ForbidStandardOsModule(linter)) 47 | 48 | 49 | def _check_disabled(node): 50 | module = node.root() 51 | return any(package for package in WHITELIST_PACKAGES 52 | if module.name.startswith(package + '.') or module.name == package) 53 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [bdist_wheel] 2 | # This flag says that the code is written to work on both Python 2 and Python 3 | # 3. If at all possible, it is good practice to do this. If you cannot, you 4 | # will need to generate wheels for each Python version that you support. 5 | universal=1 6 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | from os import path 3 | from setuptools import setup 4 | from setuptools import find_packages 5 | 6 | version = "0.1.0" 7 | 8 | with open('README.md') as f: 9 | long_description = f.read() 10 | 11 | install_requires = [ 12 | 'acme>=0.31.0', 13 | 'certbot>=0.31.0', 14 | 'pyacmedns', 15 | 'dnspython', 16 | 'mock', 17 | 'setuptools', 18 | 'zope.interface', 19 | 'requests' 20 | ] 21 | 22 | here = path.abspath(path.dirname(__file__)) 23 | 24 | setup( 25 | name='certbot-dns-acmedns', 26 | version=version, 27 | 28 | description="ACME-DNS DNS Authenticator plugin for Certbot", 29 | long_description=long_description, 30 | long_description_content_type='text/markdown', 31 | url='https://github.com/pan-net-security/certbot-dns-acmedns', 32 | author="DT Pan-Net s.r.o", 33 | author_email='pannet.security@pan-net.eu', 34 | license='Apache License 2.0', 35 | python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*', 36 | classifiers=[ 37 | 'Development Status :: 5 - Production/Stable', 38 | 'Environment :: Plugins', 39 | 'Intended Audience :: System Administrators', 40 | 'License :: OSI Approved :: Apache Software License', 41 | 'Operating System :: POSIX :: Linux', 42 | 'Programming Language :: Python', 43 | 'Programming Language :: Python :: 2', 44 | 'Programming Language :: Python :: 2.7', 45 | 'Programming Language :: Python :: 3', 46 | 'Programming Language :: Python :: 3.5', 47 | 'Programming Language :: Python :: 3.6', 48 | 'Programming Language :: Python :: 3.7', 49 | 'Topic :: Internet :: WWW/HTTP', 50 | 'Topic :: Security', 51 | 'Topic :: System :: Installation/Setup', 52 | 'Topic :: System :: Networking', 53 | 'Topic :: System :: Systems Administration', 54 | 'Topic :: Utilities', 55 | ], 56 | 57 | packages=find_packages(), 58 | install_requires=install_requires, 59 | 60 | # extras_require={ 61 | # 'docs': docs_extras, 62 | # }, 63 | 64 | entry_points={ 65 | 'certbot.plugins': [ 66 | 'dns-acmedns = certbot_dns_acmedns.dns_acmedns:Authenticator', 67 | ], 68 | }, 69 | tests_require=['mock'], 70 | test_suite='certbot_dns_acmedns', 71 | ) 72 | -------------------------------------------------------------------------------- /test/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine 2 | 3 | RUN apk --no-cache add curl bind-tools python3 python3-dev gcc libc-dev libffi-dev openssl-dev jq 4 | 5 | RUN pip3 install certbot -------------------------------------------------------------------------------- /test/Dockerfile.setup: -------------------------------------------------------------------------------- 1 | FROM alpine 2 | 3 | RUN apk --no-cache add curl -------------------------------------------------------------------------------- /test/acmedns-server/config.cfg: -------------------------------------------------------------------------------- 1 | [general] 2 | # DNS interface. Note that systemd-resolved may reserve port 53 on 127.0.0.53 3 | # In this case acme-dns will error out and you will need to define the listening interface 4 | # for example: listen = "127.0.0.1:53" 5 | listen = "0.0.0.0:53" 6 | # protocol, "both", "both4", "both6", "udp", "udp4", "udp6" or "tcp", "tcp4", "tcp6" 7 | protocol = "both" 8 | # domain name to serve the requests off of 9 | domain = "auth.example.org" 10 | # zone name server 11 | nsname = "auth.example.org" 12 | # admin email address, where @ is substituted with . 13 | nsadmin = "admin.example.org" 14 | # predefined records served in addition to the TXT 15 | records = [ 16 | # domain pointing to the public IP of your acme-dns server 17 | "auth.example.org. A 10.151.40.10", 18 | # specify that auth.example.org will resolve any *.auth.example.org records 19 | "auth.example.org. NS auth.example.org.", 20 | ] 21 | # debug messages from CORS etc 22 | debug = false 23 | 24 | [database] 25 | # Database engine to use, sqlite3 or postgres 26 | engine = "sqlite3" 27 | # Connection string, filename for sqlite3 and postgres://$username:$password@$host/$db_name for postgres 28 | # Please note that the default Docker image uses path /var/lib/acme-dns/acme-dns.db for sqlite3 29 | connection = "/var/lib/acme-dns/acme-dns.db" 30 | # connection = "postgres://user:password@localhost/acmedns_db" 31 | 32 | [api] 33 | # listen ip eg. 127.0.0.1 34 | ip = "0.0.0.0" 35 | # disable registration endpoint 36 | disable_registration = false 37 | # listen port, eg. 443 for default HTTPS 38 | port = "80" 39 | # possible values: "letsencrypt", "letsencryptstaging", "cert", "none" 40 | tls = "none" 41 | # only used if tls = "cert" 42 | tls_cert_privkey = "/etc/tls/example.org/privkey.pem" 43 | tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem" 44 | # only used if tls = "letsencrypt" 45 | acme_cache_dir = "api-certs" 46 | # CORS AllowOrigins, wildcards can be used 47 | corsorigins = [ 48 | "*" 49 | ] 50 | # use HTTP header to get the client ip 51 | use_header = false 52 | # header name to pull the ip address / list of ip addresses from 53 | header_name = "X-Forwarded-For" 54 | 55 | [logconfig] 56 | # logging level: "error", "warning", "info" or "debug" 57 | loglevel = "debug" 58 | # possible values: stdout, TODO file & integrations 59 | logtype = "stdout" 60 | # file path for logfile TODO 61 | # logfile = "./acme-dns.log" 62 | # format, either "json" or "text" 63 | logformat = "text" -------------------------------------------------------------------------------- /test/acmedns-server/data/acme-dns.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pan-net-security/certbot-dns-acmedns/1a02e2b175afb0b2f9b449943fcc626a02b94d6d/test/acmedns-server/data/acme-dns.db -------------------------------------------------------------------------------- /test/e2e_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | TEMP_DIR=$(mktemp -d 2>/dev/null || echo '/tmp/'$(date +%Y-%m-%d-%H-%M-%S) ) 4 | OUTPUT_FILE="$TEMP_DIR/output" 5 | export PYTHONWARNINGS="ignore:Unverified HTTPS request" 6 | 7 | CREDENTIALS_FILE_PATH="$TEMP_DIR/credentials.ini" 8 | 9 | 10 | ## Step 1 - Define the FQDN(s) certificates must be issued 11 | TEST_FQDN="something.acme.com" 12 | curl -s -X PATCH http://pdns:8081/api/v1/servers/localhost/zones/acme.com. \ 13 | -d '{"rrsets": [ {"name": "'$TEST_FQDN'.", "type": "A", "ttl": 30, "changetype": "REPLACE", "records": [ {"content": "127.0.0.50", "disabled": false } ] } ] }' \ 14 | -H "X-API-Key: secret" 15 | 16 | ## Step 2 - Register in ACME-DNS and write the JSON file 17 | # The file should look like this: 18 | # { 19 | # "something.acme.com": { 20 | # "username": "2db9cee2-0af7-4725-9b02-ba575a2f839f", 21 | # "password": "i4OWCMMoCAcbv3sbsaX5_w0OM_SQpyMG2ZeRsuAM", 22 | # "fulldomain": "76d61ca7-70aa-4cc8-8f2f-347bd9b32ca4.auth.example.org", 23 | # "subdomain": "76d61ca7-70aa-4cc8-8f2f-347bd9b32ca4", 24 | # "allowfrom": [] 25 | # } 26 | # } 27 | 28 | ACME_REGISTRATION_FILE="$TEMP_DIR/acme-registration.json" 29 | echo '{}' | jq --arg domain $TEST_FQDN \ 30 | --argjson creds \ 31 | "$(curl -s -k -X POST http://acmedns/register)" '.[$domain] += $creds' \ 32 | > $ACME_REGISTRATION_FILE 33 | 34 | ## Step 3 - Setup the CNAME for the FQDN 35 | # grab full domain from registration 36 | ACMEDNS_FULLDOMAIN=$(jq -r --arg fqdn $TEST_FQDN '.[$fqdn].fulldomain' $ACME_REGISTRATION_FILE)"." 37 | 38 | # crete _acme-challenge CNAME for the FQDN 39 | curl -s -X PATCH http://pdns:8081/api/v1/servers/localhost/zones/acme.com. \ 40 | -d '{"rrsets": [ {"name": "_acme-challenge.'$TEST_FQDN'.", "type": "CNAME", "ttl": 30, "changetype": "REPLACE", "records": [ {"content": "'$ACMEDNS_FULLDOMAIN'", "disabled": false } ] } ] }' \ 41 | -H "X-API-Key: secret" 42 | 43 | # give some quick for propagation 44 | sleep 5 45 | 46 | # verify the CNAME is resolving and correct 47 | DIG_RESULT=$(dig +short _acme-challenge.$TEST_FQDN CNAME) 48 | 49 | if [ "$ACMEDNS_FULLDOMAIN" = "$DIG_RESULT" ]; then 50 | echo "CNAME set and matches the ACME-DNS fulldomain, continuing.." 51 | else 52 | echo "CNAME for _acme-challenge."$TEST_FQDN" should be set and matching to "$ACMEDNS_FULLDOMAIN 53 | fi 54 | 55 | # Step 4 - Configure ACME-DNS Certbot ini file and set permissions 56 | echo 'certbot_dns_acmedns:dns_acmedns_api_url = http://acmedns' > $CREDENTIALS_FILE_PATH 57 | echo "certbot_dns_acmedns:dns_acmedns_registration_file = $ACME_REGISTRATION_FILE" >> $CREDENTIALS_FILE_PATH 58 | chmod 0600 $CREDENTIALS_FILE_PATH 59 | chmod 0600 $ACME_REGISTRATION_FILE 60 | 61 | echo "# Logs, certificates, keys, accounts will be contained in '$TEMP_DIR'" 62 | 63 | mkdir -p $TEMP_DIR/var/log/letsencrypt \ 64 | $TEMP_DIR/etc/letsencrypt \ 65 | $TEMP_DIR/var/lib/letsencrypt 66 | 67 | chmod -R 0755 $TEMP_DIR/var/log/letsencrypt \ 68 | $TEMP_DIR/etc/letsencrypt \ 69 | $TEMP_DIR/var/lib/letsencrypt 70 | 71 | 72 | # Step 4 - Request the certificate 73 | certbot \ 74 | --certbot-dns-acmedns:dns-acmedns-credentials $CREDENTIALS_FILE_PATH \ 75 | --certbot-dns-acmedns:dns-acmedns-propagation-seconds 5 \ 76 | --authenticator certbot-dns-acmedns:dns-acmedns \ 77 | --logs-dir $TEMP_DIR/var/log/letsencrypt/ \ 78 | --server https://pebble:14000/dir \ 79 | --work-dir $TEMP_DIR/var/lib/letsencrypt \ 80 | --config-dir $TEMP_DIR/etc/letsencrypt \ 81 | --domains $TEST_FQDN \ 82 | --email admin@TEST_FQDN \ 83 | --non-interactive \ 84 | --no-verify-ssl \ 85 | --agree-tos \ 86 | --debug \ 87 | certonly | tee -a $OUTPUT_FILE 88 | 89 | echo "# Files created in '$TEMP_DIR': " 90 | find ${TEMP_DIR:-/tmp}/ 91 | 92 | set -e 93 | grep -qi 'CONGRATULATIONS' $OUTPUT_FILE --------------------------------------------------------------------------------