diff --git a/Dockerfile b/Dockerfile index 6d15830..ce6e588 100755 --- a/Dockerfile +++ b/Dockerfile @@ -116,6 +116,7 @@ RUN \ certbot-dns-dnspod \ certbot-dns-do \ certbot-dns-domeneshop \ + certbot-dns-duckdns \ certbot-dns-dynu \ certbot-dns-gehirn \ certbot-dns-godaddy \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 0ad798f..b810c43 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -116,6 +116,7 @@ RUN \ certbot-dns-dnspod \ certbot-dns-do \ certbot-dns-domeneshop \ + certbot-dns-duckdns \ certbot-dns-dynu \ certbot-dns-gehirn \ certbot-dns-godaddy \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index 50f0fc6..92c2a25 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -116,6 +116,7 @@ RUN \ certbot-dns-dnspod \ certbot-dns-do \ certbot-dns-domeneshop \ + certbot-dns-duckdns \ certbot-dns-dynu \ certbot-dns-gehirn \ certbot-dns-godaddy \ diff --git a/README.md b/README.md index 9f3fbee..b400d19 100755 --- a/README.md +++ b/README.md @@ -336,7 +336,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **06.10.22:** - Update cpanel and gandi dns plugin handling. Minor adjustments to init logic. +* **06.10.22:** - Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic. * **05.10.22:** - Use certbot file hooks instead of command line hooks * **04.10.22:** - Add godaddy and porkbun dns plugins. * **03.10.22:** - Add default_server back to default site conf's https listen. diff --git a/readme-vars.yml b/readme-vars.yml index 2571e0a..4e8b7c5 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -156,7 +156,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: - - { date: "06.10.22:", desc: "Update cpanel and gandi dns plugin handling. Minor adjustments to init logic." } + - { date: "06.10.22:", desc: "Switch to certbot-dns-duckdns. Update cpanel and gandi dns plugin handling. Minor adjustments to init logic." } - { date: "05.10.22:", desc: "Use certbot file hooks instead of command line hooks" } - { date: "04.10.22:", desc: "Add godaddy and porkbun dns plugins." } - { date: "03.10.22:", desc: "Add default_server back to default site conf's https listen." } diff --git a/root/app/duckdns-txt b/root/app/duckdns-txt deleted file mode 100644 index 9630c4c..0000000 --- a/root/app/duckdns-txt +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -. /config/.donoteditthisfile.conf - -curl https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN}\&token=${ORIGDUCKDNSTOKEN}\&txt=${CERTBOT_VALIDATION} - -echo "sleeping 60" -sleep 60 diff --git a/root/defaults/dns-conf/duckdns.ini b/root/defaults/dns-conf/duckdns.ini new file mode 100644 index 0000000..f0f1508 --- /dev/null +++ b/root/defaults/dns-conf/duckdns.ini @@ -0,0 +1,3 @@ +# Instructions: https://github.com/infinityofspace/certbot_dns_duckdns#credentials-file-or-cli-parameters +# Replace with your API token from your duckdns account. +dns_duckdns_token= diff --git a/root/etc/cont-init.d/50-certbot b/root/etc/cont-init.d/50-certbot index e513111..7c0e7ec 100644 --- a/root/etc/cont-init.d/50-certbot +++ b/root/etc/cont-init.d/50-certbot @@ -23,7 +23,7 @@ for i in "${SANED_VARS[@]}"; do done # check to make sure DNSPLUGIN is selected if dns validation is used -if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then +if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details." sleep infinity fi @@ -50,7 +50,7 @@ if [ -f "/config/donoteditthisfile.conf" ]; then mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf fi if [ ! -f "/config/.donoteditthisfile.conf" ]; then - echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf + echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf echo "Created .donoteditthisfile.conf" fi @@ -64,6 +64,25 @@ if [ -z "$VALIDATION" ]; then echo "VALIDATION parameter not set; setting it to http" fi +# set duckdns validation to dns +if [ "$VALIDATION" = "duckdns" ]; then + VALIDATION="dns" + DNSPLUGIN="duckdns" + if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then + sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini + fi +fi +if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then + if [ "$SUBDOMAINS" = "wildcard" ]; then + echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" + export ONLY_SUBDOMAINS=true + else + echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" + export SUBDOMAINS="" + fi + export EXTRA_DOMAINS="" +fi + # if zerossl is selected or staging is set to true, use the relevant server if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then echo "ZeroSSL does not support staging mode, ignoring STAGING variable" @@ -142,7 +161,7 @@ if [ "$VALIDATION" = "dns" ]; then elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}" - elif [[ "$DNSPLUGIN" =~ ^(aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then + elif [[ "$DNSPLUGIN" =~ ^(aliyun|cpanel|desec|dnspod|do|domeneshop|duckdns|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}" elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then @@ -159,17 +178,6 @@ if [ "$VALIDATION" = "dns" ]; then elif [ "$VALIDATION" = "tls-sni" ]; then PREFCHAL="--standalone --preferred-challenges http" echo "*****tls-sni validation has been deprecated, attempting http validation instead" -elif [ "$VALIDATION" = "duckdns" ]; then - PREFCHAL="--manual --preferred-challenges dns --manual-auth-hook /app/duckdns-txt" - chmod +x /app/duckdns-txt - echo "duckdns validation is selected" - if [ "$SUBDOMAINS" = "wildcard" ]; then - echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org" - export URL_REAL="-d *.${URL}" - else - echo "the resulting certificate will only cover the main domain due to a limitation of duckdns, ie. subdomain.duckdns.org" - export URL_REAL="-d ${URL}" - fi else PREFCHAL="--standalone --preferred-challenges http" echo "http validation is selected" @@ -189,7 +197,7 @@ rm -rf /config/keys/cert.key ln -s ./letsencrypt/privkey.pem /config/keys/cert.key # checking for changes in cert variables, revoking certs if necessary -if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$DUCKDNSTOKEN" = "$ORIGDUCKDNSTOKEN" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then +if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created" if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}" @@ -217,7 +225,7 @@ if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! " fi # saving new variables -echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGDUCKDNSTOKEN=\"$DUCKDNSTOKEN\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf +echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf # alter extension for error message if [ "$DNSPLUGIN" = "google" ]; then @@ -255,8 +263,6 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then if [ ! -d /config/keys/letsencrypt ]; then if [ "$VALIDATION" = "dns" ]; then echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file." - elif [ "$VALIDATION" = "duckdns" ]; then - echo "ERROR: Cert does not exist! Please see the validation error above. Make sure your DUCKDNSTOKEN is correct." else echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container" fi