ovh-certbot-dns v0.0.3-a
OVH DNS API Client for Certbot
Certbot plugin to respond to DNS-01 challenges by updating the DNS zone in an OVH account.
Why
There are several use cases for DNS challenge with Certbot, for example when the server or machine that need a certificate is not directly accessible from the internet. This way, you can secure machines and services in your internal network, behind a firewall or VPN. Other use cases could be automating multi-server deploys.
Prerequisites
How to Use
Download or clone this repo, and then from a terminal enter the directory:
cd ovh-certbot-dns
and runnpm install
.Get an App Key and App Secret from OVH by registering a new app at this URL: OVH Developers: Create App (see more details here: First Steps with the API - OVH).
Obtain a Consumer Key (aka Authentication Token) by running the included script in a terminal:
node bin/authorize.js --endpoint=ovh-eu --app_key=yourappkey --app_secret=yourappsecret
by replacing "yourappkey" and "yourappsecret" with the values you received in the previous step, and optionally using a different endpoint than "ovh-eu".You will get a response with an URL:
{ validationUrl: 'https://eu.api.ovh.com/auth/?credentialToken=jed...', consumerKey: '69X...', state: 'pendingValidation' }
Visit thevalidationUrl
and login with the account with the DNS zone to be updated, and select a suitable Valitidy (it would make sense to use Unlimited, unless for testing purposes). TheconsumerKey
that you received with thevalidationURL
will now be authorized to access your account.Copy the file
.env.example
to.env
, and fill the values that you received from OVH. As endpoint, the default value isovh-eu
.Now you're ready to setup Certbot! You can run the following command:
sudo certbot certonly --manual --preferred-challenges=dns --manual-auth-hook '/path/to/ovh-certbot-dns/bin/create-record.js' --manual-cleanup-hook '/path/to/ovh-certbot-dns/bin/delete-record.js' -d www.example.com
.
This command will wait for up to 60 seconds (or more if you raise the valueDNS_TIMEOUT
in your.env
file).If everything goes right, you will get a certificate! It will be saved at
/etc/letsencrypt/live/www.example.com/fullchain.pem
. You can add it your webserver configuration or copy to another server if you need to.Now, automate! You can add the line
@weekly certbot renew --quiet
to your crontab, for example:sudo crontab -e
. If you're using a webserver like Nginx, this line could be@weekly certbot renew --quiet && systemctl restart nginx.service
.
NB: the certbot renew
command uses the same options as the certbot certonly
command, so please do not move or delete
the ovh-certbot-dns
directory.
See Also
https://github.com/ovh/node-ovh
Author
David Gasperoni
License
MIT