Last active
May 9, 2019 04:51
-
-
Save AfroThundr3007730/e57952bd6625553a59ab5efc5761f40f to your computer and use it in GitHub Desktop.
Certbot hook to update a DDNS zone using nsupdate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Pre- and post-hook for certbot dns-01 to use DDNS | |
# Where we put our TSIG for dynamic udpates | |
TSIG=/etc/letsencrypt/acme.key | |
# We need the authoritative nameserver | |
NS="dig +short $(host -v $CERTBOT_DOMAIN | awk '/SOA/ {print $5}' | head -1)" | |
# The actual challenge record to use | |
RECORD="_acme-challenge.${CERTBOT_DOMAIN}" | |
# Create the challenge record with TTL of 60s | |
add_challenge=$(cat <<EOF | |
server $NS | |
update add $RECORD 60 TXT $CERTBOT_VALIDATION | |
send | |
EOF | |
) | |
# Remove all existing challenge records | |
clean_challenge=$(cat <<EOF | |
server $NS | |
prereq yxdomain $RECORD | |
update delete $RECORD | |
send | |
EOF | |
) | |
# If this is null, we are running in auth mode | |
[[ -n CERTBOT_AUTH_OUTPUT ]] || {{ | |
echo 'Adding challenge records...' | |
nsupdate -k $TSIG <<< "$add_challenge" | |
} | |
# If not null, we are running in cleanup mode | |
[[ -n CERTBOT_AUTH_OUTPUT ]] && {{ | |
echo 'Cleaning challenge records...' | |
nsupdate -k $TSIG <<< "$clean_challenge" | |
} | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is handy when your
_acme-challenge
record isn't in the same zone as your certificate domain, which was a scenario thecertbot-dns-rfc2136
plugin only recently added support for.