From 3fb6e3f54dadb3650cea1ce29beaba8704712b4c Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Thu, 6 Oct 2022 14:58:47 +0000
Subject: [PATCH] Update cpanel and gandi dns plugin handling. Minor
 adjustments to init logic.

---
 README.md                             |  1 +
 readme-vars.yml                       |  1 +
 root/defaults/dns-conf/cpanel.ini     |  6 +++---
 root/defaults/dns-conf/gandi.ini      |  6 +++++-
 root/defaults/dns-conf/infomaniak.ini |  2 +-
 root/etc/cont-init.d/50-certbot       | 26 ++++++++++++--------------
 6 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 697c592..9f3fbee 100755
--- a/README.md
+++ b/README.md
@@ -336,6 +336,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **06.10.22:** - Update cpanel and gandi dns plugin handling. Minor adjustments to init logic.
 * **05.10.22:** - Use certbot file hooks instead of command line hooks
 * **04.10.22:** - Add godaddy and porkbun dns plugins.
 * **03.10.22:** - Add default_server back to default site conf's https listen.
diff --git a/readme-vars.yml b/readme-vars.yml
index cfd7bef..2571e0a 100755
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -156,6 +156,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "06.10.22:", desc: "Update cpanel and gandi dns plugin handling. Minor adjustments to init logic." }
   - { date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks" }
   - { date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins." }
   - { date: "03.10.22:", desc: "Add default_server back to default site conf's https listen." }
diff --git a/root/defaults/dns-conf/cpanel.ini b/root/defaults/dns-conf/cpanel.ini
index 2c2742b..ebe9ba1 100644
--- a/root/defaults/dns-conf/cpanel.ini
+++ b/root/defaults/dns-conf/cpanel.ini
@@ -1,6 +1,6 @@
 # Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
 # Replace with your values
 # include the scheme and the port number (usually 2083 for https)
-certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
-certbot_dns_cpanel:cpanel_username = username
-certbot_dns_cpanel:cpanel_password = 1234567890abcdef
+dns_cpanel_url = https://cpanel.example.com:2083
+dns_cpanel_username = username
+dns_cpanel_password = 1234567890abcdef
diff --git a/root/defaults/dns-conf/gandi.ini b/root/defaults/dns-conf/gandi.ini
index a5c04b3..8f5d596 100644
--- a/root/defaults/dns-conf/gandi.ini
+++ b/root/defaults/dns-conf/gandi.ini
@@ -1,3 +1,7 @@
 # Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
 # Replace with your value
-certbot_plugin_gandi:dns_api_key=APIKEY
+# live dns v5 api key
+dns_gandi_api_key=APIKEY
+
+# optional organization id, remove it if not used
+#dns_gandi_sharing_id=SHARINGID
diff --git a/root/defaults/dns-conf/infomaniak.ini b/root/defaults/dns-conf/infomaniak.ini
index 039d261..8b8b828 100644
--- a/root/defaults/dns-conf/infomaniak.ini
+++ b/root/defaults/dns-conf/infomaniak.ini
@@ -1,3 +1,3 @@
- Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
+# Instructions: https://github.com/Infomaniak/certbot-dns-infomaniak#via-ini-file
 # Replace with your values
 dns_infomaniak_token = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
diff --git a/root/etc/cont-init.d/50-certbot b/root/etc/cont-init.d/50-certbot
index 83b842c..e513111 100644
--- a/root/etc/cont-init.d/50-certbot
+++ b/root/etc/cont-init.d/50-certbot
@@ -34,9 +34,11 @@ chown -R abc:abc /config/dns-conf
 
 # update plugin names in dns conf inis
 sed -i 's|^certbot_dns_aliyun:||g' /config/dns-conf/aliyun.ini
+sed -i 's|^certbot_dns_cpanel:|dns_|g' /config/dns-conf/cpanel.ini
 sed -i 's|^certbot_dns_domeneshop:||g' /config/dns-conf/domeneshop.ini
 sed -i 's|^certbot_dns_inwx:||g' /config/dns-conf/inwx.ini
 sed -i 's|^certbot_dns_transip:||g' /config/dns-conf/transip.ini
+sed -i 's|^certbot_plugin_gandi:dns_|dns_gandi_|g' /config/dns-conf/gandi.ini
 
 # copy default renewal hooks
 chmod -R +x /defaults/etc/letsencrypt/renewal-hooks
@@ -134,16 +136,13 @@ if [ "$VALIDATION" = "dns" ]; then
     if [ "$DNSPLUGIN" = "route53" ]; then
         if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(cpanel)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
-        PREFCHAL="-a certbot-dns-${DNSPLUGIN}:${DNSPLUGIN} --certbot-dns-${DNSPLUGIN}:${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(gandi)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "Gandi dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a certbot-plugin-${DNSPLUGIN}:dns --certbot-plugin-${DNSPLUGIN}:dns-credentials /config/dns-conf/${DNSPLUGIN}.ini"
+    elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then
+        if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
+        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
     elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
         if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(aliyun|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
+    elif [[ "$DNSPLUGIN" =~ ^(aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
         if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
     elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
@@ -152,19 +151,16 @@ if [ "$VALIDATION" = "dns" ]; then
     elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
         if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(azure)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "Azure dns plugin does not support setting propagation time"; fi
-        PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
     else
         if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
     fi
     echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
 elif [ "$VALIDATION" = "tls-sni" ]; then
-    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
+    PREFCHAL="--standalone --preferred-challenges http"
     echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 elif [ "$VALIDATION" = "duckdns" ]; then
-    PREFCHAL="--non-interactive --manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
+    PREFCHAL="--manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt"
     chmod +x /app/duckdns-txt
     echo "duckdns validation is selected"
     if [ "$SUBDOMAINS" = "wildcard" ]; then
@@ -175,7 +171,7 @@ elif [ "$VALIDATION" = "duckdns" ]; then
         export URL_REAL="-d ${URL}"
     fi
 else
-    PREFCHAL="--non-interactive --standalone --preferred-challenges http"
+    PREFCHAL="--standalone --preferred-challenges http"
     echo "http validation is selected"
 fi
 
@@ -234,7 +230,9 @@ fi
 if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
     REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+    fi
     rm -rf /config/etc/letsencrypt/{archive,live,renewal}
 fi