Pre and Post Validation Hooks with Certbot

3 files changed, 68 insertions, 0 deletions

diff --git a/gemini/index.gmi b/gemini/index.gmi
index cf562cf..2e71726 100644
--- a/gemini/index.gmi
+++ b/gemini/index.gmi
@@ -4,6 +4,7 @@ Hello and welcome to my little bit of the internet where I occasionally write ab
 
 ## Latest Posts
 
+=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot
 => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt
 => /posts/nextcloud/2021-02-15/accessing-nextcloud-with-webdav-on-arch/ 2021-02-15 - Accessing Nextcloud With WebDAV on Arch
 => /posts/gemini/2021-02-08/how-to-host-your-own-gemini-site-in-the-cloud/ 2021-02-08 - How to Host Your Own Gemini Site in the Cloud
diff --git a/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi
new file mode 100644
index 0000000..6db784c
--- /dev/null
+++ b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi
@@ -0,0 +1,66 @@
+# Pre and Post Validation Hooks with Certbot
+
+> Fri 28th May 2021 By David T. Sadler.
+
+I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.
+
+Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.
+
+Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.
+
+Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.
+
+When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.
+
+The auth script is shown below.
+
+```bash
+#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25
+```
+
+Below is the cleanup script.
+
+```bash
+#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+```
+
+With these scripts I can setup the below cron job to call certbot.
+
+```
+0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  > /dev/null 2>&1
+```
+
+### Links
+
+=> https://letsencrypt.org/docs/challenge-types/#dns-01-challenge Let's Encrypt DNS-01 challenge.
+=> https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks Certbot manual on pre and post validation hooks.
+=> https://mailinabox.email Mail-in-a-Box. Self hosting mail server.
+
+=> /posts/letsencrypt/ Let's Encrypt - Read More Posts.
+
+I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.
+
+=> mailto:david@davidtsadler.com Email david@davidtsadler.com
+
+### License
+
+=> https://creativecommons.org/licenses/by-sa/4.0/ The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
+
+Copyright © 2021 David T. Sadler.
+
+=> / Return to Homepage.
diff --git a/gemini/posts/letsencrypt/index.gmi b/gemini/posts/letsencrypt/index.gmi
index fe64dd0..e1d1d53 100644
--- a/gemini/posts/letsencrypt/index.gmi
+++ b/gemini/posts/letsencrypt/index.gmi
@@ -1,5 +1,6 @@
 # The Home of David T. Sadler - All Posts About Let's Encrypt
 
+=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot
 => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt
 
 ### License