Hook for letsencrypt.sh to do DNS challenges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| require 'aws-sdk' | |
| require 'pry' | |
| require 'awesome_print' | |
| # ------------------------------------------------------------------------------ | |
| # Credentials | |
| # ------------------------------------------------------------------------------ | |
| # pick up AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY by default from | |
| # environment | |
| Aws.config.update({ | |
| region: 'us-west-2', | |
| }) | |
| # ------------------------------------------------------------------------------ | |
| def setup_dns(domain, txt_challenge) | |
| route53 = Aws::Route53::Client.new() | |
| hosted_zone = route53.list_hosted_zones_by_name( | |
| {dns_name: "#{domain}."}).hosted_zones[0] | |
| changes = [] | |
| changes << { | |
| action: "UPSERT", | |
| resource_record_set: { | |
| name: "_acme-challenge.#{domain}.", | |
| type: "TXT", | |
| ttl: 60, | |
| resource_records: [ | |
| value: "\"#{txt_challenge}\"", | |
| ], | |
| }, | |
| } | |
| resp = route53.change_resource_record_sets({ | |
| hosted_zone_id: hosted_zone.id, | |
| change_batch: { | |
| changes: changes, | |
| }, | |
| }) | |
| ap resp | |
| sleep 10 | |
| end | |
| def delete_dns(domain, txt_challenge) | |
| route53 = Aws::Route53::Client.new() | |
| hosted_zone = route53.list_hosted_zones_by_name( | |
| {dns_name: "#{domain}."}).hosted_zones[0] | |
| changes = [] | |
| changes << { | |
| action: "DELETE", | |
| resource_record_set: { | |
| name: "_acme-challenge.#{domain}.", | |
| type: "TXT", | |
| ttl: 60, | |
| resource_records: [ | |
| value: "\"#{txt_challenge}\"", | |
| ], | |
| }, | |
| } | |
| resp = route53.change_resource_record_sets({ | |
| hosted_zone_id: hosted_zone.id, | |
| change_batch: { | |
| changes: changes, | |
| }, | |
| }) | |
| ap resp | |
| sleep 10 | |
| end | |
| if __FILE__ == $0 | |
| hook_stage = ARGV[0] | |
| domain = ARGV[1] | |
| txt_challenge = ARGV[3] | |
| puts hook_stage | |
| puts domain | |
| puts txt_challenge | |
| if hook_stage == "deploy_challenge" | |
| setup_dns(domain, txt_challenge) | |
| elsif hook_stage == "clean_challenge" | |
| delete_dns(domain, txt_challenge) | |
| end | |
| end |
I updated your gist in my fork to allow for subdomains.
Tried this hook with letsencrypt.sh. Looks like there is an issue when it runs with the latest version of awesome_print(1.7.0).
Throws error: awesome_print-1.7.0/lib/awesome_print/formatter.rb:122:in method': undefined methodto_hash' for class `Seahorse::Client::Response'
It works fine with awesome_print-1.6.1. Thanks.
Seems like 10 seconds is not enough time to propagate DNS txt record.
I increased that and all is well.
Thanks much for this code!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This script works great if you are trying to issue a certificate for your hosted zone exactly (e.g. my hosted zone in AWS is example.net and I want a certificate for example.net) but it fails if you want a certificate for a subdomain (e.g. sub.example.net).
The problem is on lines 19 and 45 where it uses the domain name to search for the hosted zone. As a quick patch I just hardcoded the zone I needed and it worked great. Thanks.