Pre and Post Validation Hooks with Certbot

9 files changed, 162 insertions, 4 deletions

diff --git a/gemini/index.gmi b/gemini/index.gmi
index cf562cf..2e71726 100644
--- a/gemini/index.gmi
+++ b/gemini/index.gmi
@@ -4,6 +4,7 @@ Hello and welcome to my little bit of the internet where I occasionally write ab
 
 ## Latest Posts
 
+=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot
 => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt
 => /posts/nextcloud/2021-02-15/accessing-nextcloud-with-webdav-on-arch/ 2021-02-15 - Accessing Nextcloud With WebDAV on Arch
 => /posts/gemini/2021-02-08/how-to-host-your-own-gemini-site-in-the-cloud/ 2021-02-08 - How to Host Your Own Gemini Site in the Cloud
diff --git a/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi
new file mode 100644
index 0000000..6db784c
--- /dev/null
+++ b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi
@@ -0,0 +1,66 @@
+# Pre and Post Validation Hooks with Certbot
+
+> Fri 28th May 2021 By David T. Sadler.
+
+I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.
+
+Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.
+
+Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.
+
+Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.
+
+When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.
+
+The auth script is shown below.
+
+```bash
+#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25
+```
+
+Below is the cleanup script.
+
+```bash
+#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+```
+
+With these scripts I can setup the below cron job to call certbot.
+
+```
+0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  > /dev/null 2>&1
+```
+
+### Links
+
+=> https://letsencrypt.org/docs/challenge-types/#dns-01-challenge Let's Encrypt DNS-01 challenge.
+=> https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks Certbot manual on pre and post validation hooks.
+=> https://mailinabox.email Mail-in-a-Box. Self hosting mail server.
+
+=> /posts/letsencrypt/ Let's Encrypt - Read More Posts.
+
+I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.
+
+=> mailto:david@davidtsadler.com Email david@davidtsadler.com
+
+### License
+
+=> https://creativecommons.org/licenses/by-sa/4.0/ The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
+
+Copyright © 2021 David T. Sadler.
+
+=> / Return to Homepage.
diff --git a/gemini/posts/letsencrypt/index.gmi b/gemini/posts/letsencrypt/index.gmi
index fe64dd0..e1d1d53 100644
--- a/gemini/posts/letsencrypt/index.gmi
+++ b/gemini/posts/letsencrypt/index.gmi
@@ -1,5 +1,6 @@
 # The Home of David T. Sadler - All Posts About Let's Encrypt
 
+=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot
 => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt
 
 ### License
diff --git a/www/index.html b/www/index.html
index 19b0305..a104a2b 100644
--- a/www/index.html
+++ b/www/index.html
@@ -18,7 +18,7 @@
         <link href="/posts/php/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About PHP"/>
     </head>
     <body>
-        <section><h1>The Home of David T. Sadler</h1><p>Hello and welcome to my little bit of the internet where I occasionally write about things that interest me. You might find my posts interesting or you might not and that's okay.</p><h2>Latest Posts</h2><a href="/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/">2021-05-27 - Wildcard Certificates with Let's Encrypt</a><a href="/posts/nextcloud/2021-02-15/accessing-nextcloud-with-webdav-on-arch/">2021-02-15 - Accessing Nextcloud With WebDAV on Arch</a><a href="/posts/gemini/2021-02-08/how-to-host-your-own-gemini-site-in-the-cloud/">2021-02-08 - How to Host Your Own Gemini Site in the Cloud</a><a href="/posts/php/2021-01-18/installing-php-8-for-windows-10/">2021-01-18 - Installing PHP 8 for Windows 10</a><a href="/posts/laravel/2020-12-21/installing-laravel-homestead-in-arch-linux/">2020-12-21 - Installing Laravel Homestead in Arch Linux</a><a href="/posts/laravel/2020-12-14/sqlstate-hy000-2002-php-network-getaddresses-getaddrinfo-failed/">2020-12-14 - SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed</a><a href="/posts/arch/2020-09-07/installing-zsh-and-powerlevel10k-on-arch-linux/">2020-09-07 - Installing Zsh and Powerlevel10k on Arch Linux</a><a href="/posts/arch/2020-08-31/enabling-audio-in-arch-linux/">2020-08-31 - Enabling Audio in Arch Linux</a><a href="/posts/arch/2020-08-24/pacman-cheat-sheet-for-ubuntu-users/">2020-08-24 - Pacman Cheat Sheet For Ubuntu Users</a><a href="/posts/arch/2020-08-17/installing-st-dmenu-dwm-in-arch-linux/">2020-08-17 - Installing ST, DMENU and DWM in Arch Linux</a><a href="/posts/linux/2020-07-13/sudo-sorry-you-must-have-a-tty-to-run-sudo/">2020-07-13 - Sudo: sorry, you must have a tty to run sudo</a><a href="/posts/arch/2020-06-22/granting-sudo-access-to-a-user-in-arch-linux/">2020-06-22 - Granting Sudo Access to a User in Arch Linux</a><a href="/posts/arch/2020-06-15/adding-a-user-in-arch-linux/">2020-06-15 - Adding a User in Arch Linux</a><a href="/posts/netlify/2020-06-08/publishing-jigsaw-posts-with-netlify-build-hooks/">2020-06-08 - Publishing Jigsaw Posts With Netlify Build Hooks</a><a href="/posts/jigsaw/2020-06-01/scheduling-posts-in-jigsaw/">2020-06-01 - Scheduling Posts in Jigsaw</a><a href="/posts/arch/2020-05-25/installing-arch-linux-on-a-thinkpad-x220/">2020-05-25 - Installing Arch Linux on a Thinkpad X220</a><a href="/posts/markdown/2020-03-30/creating-an-ebook-with-markdown/">2020-03-30 - Creating an Ebook With Markdown</a><h2>All Posts</h2><a href="/posts/">Post Archive</a><h2>Tags</h2><a href="/posts/arch/">Arch</a><a href="/posts/gemini/">Gemini</a><a href="/posts/jigsaw/">Jigsaw</a><a href="/posts/laravel/">Laravel</a><a href="/posts/letsencrypt/">Let's Encrypt</a><a href="/posts/linux/">Linux</a><a href="/posts/markdown/">Markdown</a><a href="/posts/netlify/">Netlify</a><a href="/posts/nextcloud/">Nextcloud</a><a href="/posts/php/">PHP</a><h2>Where to Find Me</h2><a href="https://github.com/davidtsadler/">GitHub</a><a href="gemini://davidtsadler.com/">Gemini Site</a><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p></section>
+        <section><h1>The Home of David T. Sadler</h1><p>Hello and welcome to my little bit of the internet where I occasionally write about things that interest me. You might find my posts interesting or you might not and that's okay.</p><h2>Latest Posts</h2><a href="/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/">2021-05-28 - Pre and Post Validation Hooks with Certbot</a><a href="/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/">2021-05-27 - Wildcard Certificates with Let's Encrypt</a><a href="/posts/nextcloud/2021-02-15/accessing-nextcloud-with-webdav-on-arch/">2021-02-15 - Accessing Nextcloud With WebDAV on Arch</a><a href="/posts/gemini/2021-02-08/how-to-host-your-own-gemini-site-in-the-cloud/">2021-02-08 - How to Host Your Own Gemini Site in the Cloud</a><a href="/posts/php/2021-01-18/installing-php-8-for-windows-10/">2021-01-18 - Installing PHP 8 for Windows 10</a><a href="/posts/laravel/2020-12-21/installing-laravel-homestead-in-arch-linux/">2020-12-21 - Installing Laravel Homestead in Arch Linux</a><a href="/posts/laravel/2020-12-14/sqlstate-hy000-2002-php-network-getaddresses-getaddrinfo-failed/">2020-12-14 - SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed</a><a href="/posts/arch/2020-09-07/installing-zsh-and-powerlevel10k-on-arch-linux/">2020-09-07 - Installing Zsh and Powerlevel10k on Arch Linux</a><a href="/posts/arch/2020-08-31/enabling-audio-in-arch-linux/">2020-08-31 - Enabling Audio in Arch Linux</a><a href="/posts/arch/2020-08-24/pacman-cheat-sheet-for-ubuntu-users/">2020-08-24 - Pacman Cheat Sheet For Ubuntu Users</a><a href="/posts/arch/2020-08-17/installing-st-dmenu-dwm-in-arch-linux/">2020-08-17 - Installing ST, DMENU and DWM in Arch Linux</a><a href="/posts/linux/2020-07-13/sudo-sorry-you-must-have-a-tty-to-run-sudo/">2020-07-13 - Sudo: sorry, you must have a tty to run sudo</a><a href="/posts/arch/2020-06-22/granting-sudo-access-to-a-user-in-arch-linux/">2020-06-22 - Granting Sudo Access to a User in Arch Linux</a><a href="/posts/arch/2020-06-15/adding-a-user-in-arch-linux/">2020-06-15 - Adding a User in Arch Linux</a><a href="/posts/netlify/2020-06-08/publishing-jigsaw-posts-with-netlify-build-hooks/">2020-06-08 - Publishing Jigsaw Posts With Netlify Build Hooks</a><a href="/posts/jigsaw/2020-06-01/scheduling-posts-in-jigsaw/">2020-06-01 - Scheduling Posts in Jigsaw</a><a href="/posts/arch/2020-05-25/installing-arch-linux-on-a-thinkpad-x220/">2020-05-25 - Installing Arch Linux on a Thinkpad X220</a><a href="/posts/markdown/2020-03-30/creating-an-ebook-with-markdown/">2020-03-30 - Creating an Ebook With Markdown</a><h2>All Posts</h2><a href="/posts/">Post Archive</a><h2>Tags</h2><a href="/posts/arch/">Arch</a><a href="/posts/gemini/">Gemini</a><a href="/posts/jigsaw/">Jigsaw</a><a href="/posts/laravel/">Laravel</a><a href="/posts/letsencrypt/">Let's Encrypt</a><a href="/posts/linux/">Linux</a><a href="/posts/markdown/">Markdown</a><a href="/posts/netlify/">Netlify</a><a href="/posts/nextcloud/">Nextcloud</a><a href="/posts/php/">PHP</a><h2>Where to Find Me</h2><a href="https://github.com/davidtsadler/">GitHub</a><a href="gemini://davidtsadler.com/">Gemini Site</a><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p></section>
         <script defer src="/js/highlight.min.js"></script>
         <script defer src="/js/site.js"></script>
     </body>
diff --git a/www/posts/atom.xml b/www/posts/atom.xml
index 50c6ace..c8a3a38 100644
--- a/www/posts/atom.xml
+++ b/www/posts/atom.xml
@@ -4,8 +4,31 @@
     <id>https://davidtsadler.com/posts/atom.xml</id>
     <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/index.html"/>
     <link rel="self" type="application/atom+xml" href="https://davidtsadler.com/posts/atom.xml"/>
-    <updated>2021-05-27T12:00:00Z</updated>
+    <updated>2021-05-28T12:00:00Z</updated>
     <entry>
+    <title type="text">Pre and Post Validation Hooks with Certbot</title>
+    <id>https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html</id>
+    <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html"/>
+    <author><name>David T. Sadler.</name></author>
+    <published>2021-05-28T12:00:00Z</published>
+    <updated>2021-05-28T12:00:00Z</updated>
+    <content type="html">&lt;h1&gt;Pre and Post Validation Hooks with Certbot&lt;/h1&gt;&lt;blockquote&gt;Fri 28th May 2021 By David T. Sadler.&lt;/blockquote&gt;&lt;p&gt;I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.&lt;/p&gt;&lt;p&gt;Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.&lt;/p&gt;&lt;p&gt;Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.&lt;/p&gt;&lt;p&gt;Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.&lt;/p&gt;&lt;p&gt;When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.&lt;/p&gt;&lt;p&gt;The auth script is shown below.&lt;/p&gt;&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d &amp;quot;$CERTBOT_VALIDATION&amp;quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Below is the cleanup script.&lt;/p&gt;&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d &amp;quot;$CERTBOT_VALIDATION&amp;quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;With these scripts I can setup the below cron job to call certbot.&lt;/p&gt;&lt;pre&gt;0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  &amp;gt; /dev/null 2&amp;gt;&amp;amp;1&lt;/pre&gt;&lt;h3&gt;Links&lt;/h3&gt;&lt;a href=&quot;https://letsencrypt.org/docs/challenge-types/#dns-01-challenge&quot;&gt;Let's Encrypt DNS-01 challenge.&lt;/a&gt;&lt;a href=&quot;https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks&quot;&gt;Certbot manual on pre and post validation hooks.&lt;/a&gt;&lt;a href=&quot;https://mailinabox.email&quot;&gt;Mail-in-a-Box. Self hosting mail server.&lt;/a&gt;&lt;a href=&quot;/posts/letsencrypt/&quot;&gt;Let's Encrypt - Read More Posts.&lt;/a&gt;&lt;p&gt;I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.&lt;/p&gt;&lt;a href=&quot;mailto:david@davidtsadler.com&quot;&gt;Email david@davidtsadler.com&lt;/a&gt;&lt;h3&gt;License&lt;/h3&gt;&lt;a href=&quot;https://creativecommons.org/licenses/by-sa/4.0/&quot;&gt;The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.&lt;/a&gt;&lt;p&gt;Copyright © 2021 David T. Sadler.&lt;/p&gt;&lt;a href=&quot;/&quot;&gt;Return to Homepage.&lt;/a&gt;</content>
+</entry><entry>
     <title type="text">Wildcard Certificates with Let's Encrypt</title>
     <id>https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html</id>
     <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html"/>
diff --git a/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html b/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html
new file mode 100644
index 0000000..c6560a3
--- /dev/null
+++ b/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html
@@ -0,0 +1,40 @@
+<!doctype html>
+<html lang="en">
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Pre and Post Validation Hooks with Certbot</title>
+        <link rel="shortcut icon" href="/images/favicon.png">
+        <link rel="stylesheet" href="/css/site.css">
+        <link href="/posts/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts"/>
+        <link href="/posts/arch/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Arch"/>
+        <link href="/posts/gemini/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Gemini"/>
+        <link href="/posts/jigsaw/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Jigsaw"/>
+        <link href="/posts/laravel/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Laravel"/>
+        <link href="/posts/linux/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Linux"/>
+        <link href="/posts/markdown/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Markdown"/>
+        <link href="/posts/netlify/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Netlify"/>
+        <link href="/posts/nextcloud/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About Nextcloud"/>
+        <link href="/posts/php/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About PHP"/>
+    </head>
+    <body>
+        <section><h1>Pre and Post Validation Hooks with Certbot</h1><blockquote>Fri 28th May 2021 By David T. Sadler.</blockquote><p>I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.</p><p>Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.</p><p>Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.</p><p>Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.</p><p>When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.</p><p>The auth script is shown below.</p><pre><code class="bash">#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25</code></pre><p>Below is the cleanup script.</p><pre><code class="bash">#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt</code></pre><p>With these scripts I can setup the below cron job to call certbot.</p><pre>0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  &gt; /dev/null 2&gt;&amp;1</pre><h3>Links</h3><a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">Let's Encrypt DNS-01 challenge.</a><a href="https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks">Certbot manual on pre and post validation hooks.</a><a href="https://mailinabox.email">Mail-in-a-Box. Self hosting mail server.</a><a href="/posts/letsencrypt/">Let's Encrypt - Read More Posts.</a><p>I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></section>
+        <script defer src="/js/highlight.min.js"></script>
+        <script defer src="/js/site.js"></script>
+    </body>
+</html>
diff --git a/www/posts/letsencrypt/atom.xml b/www/posts/letsencrypt/atom.xml
index 5b6319e..3c27726 100644
--- a/www/posts/letsencrypt/atom.xml
+++ b/www/posts/letsencrypt/atom.xml
@@ -4,8 +4,31 @@
     <id>https://davidtsadler.com/posts/letsencrypt/atom.xml</id>
     <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/letsencrypt/index.html"/>
     <link rel="self" type="application/atom+xml" href="https://davidtsadler.com/posts/letsencrypt/atom.xml"/>
-    <updated>2021-05-27T12:00:00Z</updated>
+    <updated>2021-05-28T12:00:00Z</updated>
     <entry>
+    <title type="text">Pre and Post Validation Hooks with Certbot</title>
+    <id>https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html</id>
+    <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html"/>
+    <author><name>David T. Sadler.</name></author>
+    <published>2021-05-28T12:00:00Z</published>
+    <updated>2021-05-28T12:00:00Z</updated>
+    <content type="html">&lt;h1&gt;Pre and Post Validation Hooks with Certbot&lt;/h1&gt;&lt;blockquote&gt;Fri 28th May 2021 By David T. Sadler.&lt;/blockquote&gt;&lt;p&gt;I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.&lt;/p&gt;&lt;p&gt;Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.&lt;/p&gt;&lt;p&gt;Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.&lt;/p&gt;&lt;p&gt;Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.&lt;/p&gt;&lt;p&gt;When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.&lt;/p&gt;&lt;p&gt;The auth script is shown below.&lt;/p&gt;&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d &amp;quot;$CERTBOT_VALIDATION&amp;quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Below is the cleanup script.&lt;/p&gt;&lt;pre&gt;&lt;code class=&quot;bash&quot;&gt;#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d &amp;quot;$CERTBOT_VALIDATION&amp;quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;With these scripts I can setup the below cron job to call certbot.&lt;/p&gt;&lt;pre&gt;0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  &amp;gt; /dev/null 2&amp;gt;&amp;amp;1&lt;/pre&gt;&lt;h3&gt;Links&lt;/h3&gt;&lt;a href=&quot;https://letsencrypt.org/docs/challenge-types/#dns-01-challenge&quot;&gt;Let's Encrypt DNS-01 challenge.&lt;/a&gt;&lt;a href=&quot;https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks&quot;&gt;Certbot manual on pre and post validation hooks.&lt;/a&gt;&lt;a href=&quot;https://mailinabox.email&quot;&gt;Mail-in-a-Box. Self hosting mail server.&lt;/a&gt;&lt;a href=&quot;/posts/letsencrypt/&quot;&gt;Let's Encrypt - Read More Posts.&lt;/a&gt;&lt;p&gt;I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.&lt;/p&gt;&lt;a href=&quot;mailto:david@davidtsadler.com&quot;&gt;Email david@davidtsadler.com&lt;/a&gt;&lt;h3&gt;License&lt;/h3&gt;&lt;a href=&quot;https://creativecommons.org/licenses/by-sa/4.0/&quot;&gt;The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.&lt;/a&gt;&lt;p&gt;Copyright © 2021 David T. Sadler.&lt;/p&gt;&lt;a href=&quot;/&quot;&gt;Return to Homepage.&lt;/a&gt;</content>
+</entry><entry>
     <title type="text">Wildcard Certificates with Let's Encrypt</title>
     <id>https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html</id>
     <link rel="alternate" type="text/html" href="https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html"/>
diff --git a/www/posts/letsencrypt/index.html b/www/posts/letsencrypt/index.html
index 6b8e7f3..fc4be44 100644
--- a/www/posts/letsencrypt/index.html
+++ b/www/posts/letsencrypt/index.html
@@ -18,7 +18,7 @@
         <link href="/posts/php/atom.xml" type="application/atom+xml" rel="alternate" title="The Home of David T. Sadler - All Posts About PHP"/>
     </head>
     <body>
-        <section><h1>The Home of David T. Sadler - All Posts About Let's Encrypt</h1><a href="/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/">2021-05-27 - Wildcard Certificates with Let's Encrypt</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></section>
+        <section><h1>The Home of David T. Sadler - All Posts About Let's Encrypt</h1><a href="/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/">2021-05-28 - Pre and Post Validation Hooks with Certbot</a><a href="/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/">2021-05-27 - Wildcard Certificates with Let's Encrypt</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a></section>
         <script defer src="/js/highlight.min.js"></script>
         <script defer src="/js/site.js"></script>
     </body>
diff --git a/www/sitemap.xml b/www/sitemap.xml
index a1c5af2..13e5880 100644
--- a/www/sitemap.xml
+++ b/www/sitemap.xml
@@ -1,6 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
     <url>
+    <loc>https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html</loc>
+    <lastmod>2021-05-28T12:00:00Z</lastmod>
+    <changefreq>never</changefreq>
+</url><url>
     <loc>https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html</loc>
     <lastmod>2021-05-27T12:00:00Z</lastmod>
     <changefreq>never</changefreq>