certbot-auth-hook.sh

#!/usr/bin/env bash

# require: git version > 2.3
# require: `db/letsencrypt` existed in git repo

if [[ -z "$CERTBOT_DOMAIN" ]] || [[ -z "$CERTBOT_VALIDATION" ]]; then
    echo '$CERTBOT_DOMAIN and $CERTBOT_VALIDATION environment variables required.'
fi

source /etc/letsencrypt/dns-auth.conf

BIND_DB=${BIND_DB:-"db/letsencrypt"}

export GIT_SSH_COMMAND="ssh -i $DNSAUTH_SSH_KEY -o StrictHostKeyChecking=no"

if [[ ! -d $DNSAUTH_GIT_PATH ]]; then
    git clone $DNSAUTH_GIT_UPSTREAM $DNSAUTH_GIT_PATH
fi

cd $DNSAUTH_GIT_PATH

git fetch --prune origin master
git reset --hard origin/master

if [[ -z $CERTBOT_AUTH_OUTPUT ]]; then
    echo "_acme-challenge.${CERTBOT_DOMAIN}. 60 IN TXT \"${CERTBOT_VALIDATION}\"" >> $BIND_DB
    git add $BIND_DB
    git commit -m "Add _acme-challenge.$CERTBOT_DOMAIN"
    git push origin master || exit 1
    sleep 25
else
    sed -i "/${CERTBOT_DOMAIN}/d" $BIND_DB
    git add $BIND_DB
    git commit -m "Drop _acme-challenge.$CERTBOT_DOMAIN"
    git push origin master || exit 1
fi

cmd

certbot certonly \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --preferred-challenges dns \
  --email ssl@example.com \
  --manual \
  --manual-auth-hook /etc/letsencrypt/certbot-auth-hook.sh \
  --manual-cleanup-hook /etc/letsencrypt/certbot-auth-hook.sh \
  --manual-public-ip-logging-ok \
  --domain example.com \
  --domain '*.example.com'

dns-auth.conf

DNSAUTH_SSH_KEY=/etc/letsencrypt/dnsauth-key
DNSAUTH_GIT_UPSTREAM=git@github.com:xxx/xxx.git
DNSAUTH_GIT_PATH=/etc/letsencrypt/dnsauth-repo