mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 01:41:14 -06:00
a83eaa8b6d
Add a script to use as a certbot hook for satisfying the dns-01 challenge. It will be used during testing, and may be useful or instructive for users of FreeIPA. It is installed as part of the freeipa-client package under /usr/libexec/ipa/acme. Future ACME-related scripts can be added in the same place. Part of: https://pagure.io/freeipa/issue/4751 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
51 lines
1.3 KiB
Python
Executable File
51 lines
1.3 KiB
Python
Executable File
#!/usr/bin/python3
|
|
#
|
|
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
"""
|
|
This script can be used with Certbot to satisfy dns-01 challenges.
|
|
FreeIPA integrated DNS is required.
|
|
|
|
This script can be used for both --manual-auth-hook and
|
|
--manual-cleanup-hook. It not intended to be used in other
|
|
contexts.
|
|
|
|
Kerberos credentials are required. The principal must have
|
|
permission to add and delete DNS records via the dnsrecord_add and
|
|
dnsrecord_del commands.
|
|
|
|
"""
|
|
|
|
import os
|
|
import sys
|
|
|
|
from dns import resolver
|
|
from ipalib import api, errors
|
|
from ipapython import dnsutil
|
|
|
|
try:
|
|
certbot_domain = os.environ['CERTBOT_DOMAIN']
|
|
certbot_validation = os.environ['CERTBOT_VALIDATION']
|
|
except KeyError:
|
|
sys.exit("Missing Certbot environment variables.")
|
|
|
|
if 'CERTBOT_AUTH_OUTPUT' in os.environ:
|
|
command = 'dnsrecord_del'
|
|
else:
|
|
command = 'dnsrecord_add'
|
|
|
|
validation_domain = f'_acme-challenge.{certbot_domain}'
|
|
fqdn = dnsutil.DNSName(validation_domain).make_absolute()
|
|
zone = dnsutil.DNSName(resolver.zone_for_name(fqdn))
|
|
name = fqdn.relativize(zone)
|
|
|
|
try:
|
|
api.bootstrap(context='cli')
|
|
api.finalize()
|
|
api.Backend.rpcclient.connect()
|
|
except errors.CCacheError as e:
|
|
sys.exit(e)
|
|
|
|
api.Command[command](zone, name, txtrecord=[certbot_validation], dnsttl=60)
|