From d37759c0f2dd5a5ddcc38da0e29be134bceb7baa Mon Sep 17 00:00:00 2001 From: "David T. Sadler" Date: Fri, 28 May 2021 22:46:32 +0100 Subject: Pre and Post Validation Hooks with Certbot --- gemini/index.gmi | 1 + .../index.gmi | 66 ++++++++++++++++++++++ gemini/posts/letsencrypt/index.gmi | 1 + www/index.html | 2 +- www/posts/atom.xml | 25 +++++++- .../index.html | 40 +++++++++++++ www/posts/letsencrypt/atom.xml | 25 +++++++- www/posts/letsencrypt/index.html | 2 +- www/sitemap.xml | 4 ++ 9 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi create mode 100644 www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html diff --git a/gemini/index.gmi b/gemini/index.gmi index cf562cf..2e71726 100644 --- a/gemini/index.gmi +++ b/gemini/index.gmi @@ -4,6 +4,7 @@ Hello and welcome to my little bit of the internet where I occasionally write ab ## Latest Posts +=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt => /posts/nextcloud/2021-02-15/accessing-nextcloud-with-webdav-on-arch/ 2021-02-15 - Accessing Nextcloud With WebDAV on Arch => /posts/gemini/2021-02-08/how-to-host-your-own-gemini-site-in-the-cloud/ 2021-02-08 - How to Host Your Own Gemini Site in the Cloud diff --git a/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi new file mode 100644 index 0000000..6db784c --- /dev/null +++ b/gemini/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.gmi @@ -0,0 +1,66 @@ +# Pre and Post Validation Hooks with Certbot + +> Fri 28th May 2021 By David T. Sadler. + +I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires. + +Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain. + +Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook. + +Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server. + +When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated. + +The auth script is shown below. + +```bash +#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Create TXT record +curl -s -X POST -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt + +# Make sure the change has time to propagate over to DNS +sleep 25 +``` + +Below is the cleanup script. + +```bash +#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Delete TXT record +curl -s -X DELETE -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt +``` + +With these scripts I can setup the below cron job to call certbot. + +``` +0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh > /dev/null 2>&1 +``` + +### Links + +=> https://letsencrypt.org/docs/challenge-types/#dns-01-challenge Let's Encrypt DNS-01 challenge. +=> https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks Certbot manual on pre and post validation hooks. +=> https://mailinabox.email Mail-in-a-Box. Self hosting mail server. + +=> /posts/letsencrypt/ Let's Encrypt - Read More Posts. + +I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to. + +=> mailto:david@davidtsadler.com Email david@davidtsadler.com + +### License + +=> https://creativecommons.org/licenses/by-sa/4.0/ The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. + +Copyright © 2021 David T. Sadler. + +=> / Return to Homepage. diff --git a/gemini/posts/letsencrypt/index.gmi b/gemini/posts/letsencrypt/index.gmi index fe64dd0..e1d1d53 100644 --- a/gemini/posts/letsencrypt/index.gmi +++ b/gemini/posts/letsencrypt/index.gmi @@ -1,5 +1,6 @@ # The Home of David T. Sadler - All Posts About Let's Encrypt +=> /posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/ 2021-05-28 - Pre and Post Validation Hooks with Certbot => /posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/ 2021-05-27 - Wildcard Certificates with Let's Encrypt ### License diff --git a/www/index.html b/www/index.html index 19b0305..a104a2b 100644 --- a/www/index.html +++ b/www/index.html @@ -18,7 +18,7 @@ -

The Home of David T. Sadler

Hello and welcome to my little bit of the internet where I occasionally write about things that interest me. You might find my posts interesting or you might not and that's okay.

Latest Posts

2021-05-27 - Wildcard Certificates with Let's Encrypt2021-02-15 - Accessing Nextcloud With WebDAV on Arch2021-02-08 - How to Host Your Own Gemini Site in the Cloud2021-01-18 - Installing PHP 8 for Windows 102020-12-21 - Installing Laravel Homestead in Arch Linux2020-12-14 - SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed2020-09-07 - Installing Zsh and Powerlevel10k on Arch Linux2020-08-31 - Enabling Audio in Arch Linux2020-08-24 - Pacman Cheat Sheet For Ubuntu Users2020-08-17 - Installing ST, DMENU and DWM in Arch Linux2020-07-13 - Sudo: sorry, you must have a tty to run sudo2020-06-22 - Granting Sudo Access to a User in Arch Linux2020-06-15 - Adding a User in Arch Linux2020-06-08 - Publishing Jigsaw Posts With Netlify Build Hooks2020-06-01 - Scheduling Posts in Jigsaw2020-05-25 - Installing Arch Linux on a Thinkpad X2202020-03-30 - Creating an Ebook With Markdown

All Posts

Post Archive

Tags

ArchGeminiJigsawLaravelLet's EncryptLinuxMarkdownNetlifyNextcloudPHP

Where to Find Me

GitHubGemini SiteEmail david@davidtsadler.com

License

The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright © 2021 David T. Sadler.

+

The Home of David T. Sadler

Hello and welcome to my little bit of the internet where I occasionally write about things that interest me. You might find my posts interesting or you might not and that's okay.

Latest Posts

2021-05-28 - Pre and Post Validation Hooks with Certbot2021-05-27 - Wildcard Certificates with Let's Encrypt2021-02-15 - Accessing Nextcloud With WebDAV on Arch2021-02-08 - How to Host Your Own Gemini Site in the Cloud2021-01-18 - Installing PHP 8 for Windows 102020-12-21 - Installing Laravel Homestead in Arch Linux2020-12-14 - SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed2020-09-07 - Installing Zsh and Powerlevel10k on Arch Linux2020-08-31 - Enabling Audio in Arch Linux2020-08-24 - Pacman Cheat Sheet For Ubuntu Users2020-08-17 - Installing ST, DMENU and DWM in Arch Linux2020-07-13 - Sudo: sorry, you must have a tty to run sudo2020-06-22 - Granting Sudo Access to a User in Arch Linux2020-06-15 - Adding a User in Arch Linux2020-06-08 - Publishing Jigsaw Posts With Netlify Build Hooks2020-06-01 - Scheduling Posts in Jigsaw2020-05-25 - Installing Arch Linux on a Thinkpad X2202020-03-30 - Creating an Ebook With Markdown

All Posts

Post Archive

Tags

ArchGeminiJigsawLaravelLet's EncryptLinuxMarkdownNetlifyNextcloudPHP

Where to Find Me

GitHubGemini SiteEmail david@davidtsadler.com

License

The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright © 2021 David T. Sadler.

diff --git a/www/posts/atom.xml b/www/posts/atom.xml index 50c6ace..c8a3a38 100644 --- a/www/posts/atom.xml +++ b/www/posts/atom.xml @@ -4,8 +4,31 @@ https://davidtsadler.com/posts/atom.xml - 2021-05-27T12:00:00Z + 2021-05-28T12:00:00Z + Pre and Post Validation Hooks with Certbot + https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html + + David T. Sadler. + 2021-05-28T12:00:00Z + 2021-05-28T12:00:00Z + <h1>Pre and Post Validation Hooks with Certbot</h1><blockquote>Fri 28th May 2021 By David T. Sadler.</blockquote><p>I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.</p><p>Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.</p><p>Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.</p><p>Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.</p><p>When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.</p><p>The auth script is shown below.</p><pre><code class="bash">#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Create TXT record +curl -s -X POST -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt + +# Make sure the change has time to propagate over to DNS +sleep 25</code></pre><p>Below is the cleanup script.</p><pre><code class="bash">#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Delete TXT record +curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt</code></pre><p>With these scripts I can setup the below cron job to call certbot.</p><pre>0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh &gt; /dev/null 2&gt;&amp;1</pre><h3>Links</h3><a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">Let's Encrypt DNS-01 challenge.</a><a href="https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks">Certbot manual on pre and post validation hooks.</a><a href="https://mailinabox.email">Mail-in-a-Box. Self hosting mail server.</a><a href="/posts/letsencrypt/">Let's Encrypt - Read More Posts.</a><p>I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a> + Wildcard Certificates with Let's Encrypt https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html diff --git a/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html b/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html new file mode 100644 index 0000000..c6560a3 --- /dev/null +++ b/www/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html @@ -0,0 +1,40 @@ + + + + + + Pre and Post Validation Hooks with Certbot + + + + + + + + + + + + + + +

Pre and Post Validation Hooks with Certbot

Fri 28th May 2021 By David T. Sadler.

I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.

Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.

Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.

Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.

When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.

The auth script is shown below.

#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Create TXT record
+curl -s -X POST -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt
+
+# Make sure the change has time to propagate over to DNS
+sleep 25

Below is the cleanup script.

#!/bin/sh
+
+EMAIL=username@example.com
+PASSWORD='super strong password'
+
+# Delete TXT record
+curl -s -X DELETE -d "$CERTBOT_VALIDATION" --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt

With these scripts I can setup the below cron job to call certbot.

0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh  > /dev/null 2>&1

Links

Let's Encrypt DNS-01 challenge.Certbot manual on pre and post validation hooks.Mail-in-a-Box. Self hosting mail server.Let's Encrypt - Read More Posts.

I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.

Email david@davidtsadler.com

License

The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright © 2021 David T. Sadler.

Return to Homepage.
+ + + + diff --git a/www/posts/letsencrypt/atom.xml b/www/posts/letsencrypt/atom.xml index 5b6319e..3c27726 100644 --- a/www/posts/letsencrypt/atom.xml +++ b/www/posts/letsencrypt/atom.xml @@ -4,8 +4,31 @@ https://davidtsadler.com/posts/letsencrypt/atom.xml - 2021-05-27T12:00:00Z + 2021-05-28T12:00:00Z + Pre and Post Validation Hooks with Certbot + https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html + + David T. Sadler. + 2021-05-28T12:00:00Z + 2021-05-28T12:00:00Z + <h1>Pre and Post Validation Hooks with Certbot</h1><blockquote>Fri 28th May 2021 By David T. Sadler.</blockquote><p>I have a wildcard certificate for the domain davidtsadler.com that was issued by Let's Encrypt and I want to setup a cron job that periodically runs the certbot command to automatically renew it before it expires.</p><p>Now because its a wildcard certificate I have to use the DNS-01 challenge to validate that I control the domain name. Normally certbot is able to handle this validation during the renewing through a plugin that supports a dns provider. By using a plugin certbot is able to add and remove the required TXT dns records. Typically this is done through an API that the dns provider has to allow users to manage their dns entries. By suppling certbot with the credentials for the API a user is proving that they own the domain.</p><p>Since I am using Mail-in-a-Box for my dns there are no plugins available for certbot so instead I can use the pre and post validation hooks. These hooks are paths to scripts that will be called when certbot performs a DNS-01 challenge in manual mode. The pre auth hook is called at the start of the validation and in your script you can perform whatever steps are needed to pass the validation. It is here where you can call an API to add any dns entries. The post cleanup hook is where you can clean up any changes brought about by the auth hook.</p><p>Mail-in-a-Box provides an API for managing dns records that can be called by using curl. So my auth script will add a TXT record that is then removed by the cleanup script. Credentials for the API are the email and password of an existing user on the Mail-in-a-Box server.</p><p>When certbot calls the scripts it passes various environment variables so that they can be read by the scripts. Of which CERTBOT_VALIDATION is used to get the value of the TXT record, and CERTBOT_DOMAIN to obtain the domain name that is been validated.</p><p>The auth script is shown below.</p><pre><code class="bash">#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Create TXT record +curl -s -X POST -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt + +# Make sure the change has time to propagate over to DNS +sleep 25</code></pre><p>Below is the cleanup script.</p><pre><code class="bash">#!/bin/sh + +EMAIL=username@example.com +PASSWORD='super strong password' + +# Delete TXT record +curl -s -X DELETE -d &quot;$CERTBOT_VALIDATION&quot; --user $EMAIL:$PASSWORD https://examplemailinaboxserver.com/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/txt</code></pre><p>With these scripts I can setup the below cron job to call certbot.</p><pre>0 0 * * * /usr/bin/certbot renew --preferred-challenges=dns -q --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh &gt; /dev/null 2&gt;&amp;1</pre><h3>Links</h3><a href="https://letsencrypt.org/docs/challenge-types/#dns-01-challenge">Let's Encrypt DNS-01 challenge.</a><a href="https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks">Certbot manual on pre and post validation hooks.</a><a href="https://mailinabox.email">Mail-in-a-Box. Self hosting mail server.</a><a href="/posts/letsencrypt/">Let's Encrypt - Read More Posts.</a><p>I don't have comments as I don't want to manage them. You can however contact me at the below address if you want to.</p><a href="mailto:david@davidtsadler.com">Email david@davidtsadler.com</a><h3>License</h3><a href="https://creativecommons.org/licenses/by-sa/4.0/">The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.</a><p>Copyright © 2021 David T. Sadler.</p><a href="/">Return to Homepage.</a> + Wildcard Certificates with Let's Encrypt https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html diff --git a/www/posts/letsencrypt/index.html b/www/posts/letsencrypt/index.html index 6b8e7f3..fc4be44 100644 --- a/www/posts/letsencrypt/index.html +++ b/www/posts/letsencrypt/index.html @@ -18,7 +18,7 @@ -

The Home of David T. Sadler - All Posts About Let's Encrypt

2021-05-27 - Wildcard Certificates with Let's Encrypt

License

The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright © 2021 David T. Sadler.

Return to Homepage.
+

The Home of David T. Sadler - All Posts About Let's Encrypt

2021-05-28 - Pre and Post Validation Hooks with Certbot2021-05-27 - Wildcard Certificates with Let's Encrypt

License

The contents of this site is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Copyright © 2021 David T. Sadler.

Return to Homepage.
diff --git a/www/sitemap.xml b/www/sitemap.xml index a1c5af2..13e5880 100644 --- a/www/sitemap.xml +++ b/www/sitemap.xml @@ -1,6 +1,10 @@ + https://davidtsadler.com/posts/letsencrypt/2021-05-28/pre-and-post-validation-hooks-with-certbot/index.html + 2021-05-28T12:00:00Z + never + https://davidtsadler.com/posts/letsencrypt/2021-05-27/wildcard-certificates-with-lets-encrypt/index.html 2021-05-27T12:00:00Z never -- cgit v1.2.3-13-gbd6f