Browse Source

Merge pull request #341 from philfry/master

nsupdate
neil 8 years ago
parent
commit
29d47c4de2
4 changed files with 116 additions and 0 deletions
  1. 1 0
      README.md
  2. 5 0
      acme.sh
  3. 50 0
      dnsapi/README.md
  4. 60 0
      dnsapi/dns_nsupdate.sh

+ 1 - 0
README.md

@@ -256,6 +256,7 @@ You don't have do anything manually!
    (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
    (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
 9. LuaDNS.com API
 9. LuaDNS.com API
 10. DNSMadeEasy.com API
 10. DNSMadeEasy.com API
+11. nsupdate
 
 
 ##### More APIs are coming soon...
 ##### More APIs are coming soon...
 
 

+ 5 - 0
acme.sh

@@ -3592,6 +3592,11 @@ _initconf() {
 #
 #
 #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
 #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
 
 
+#######################
+#nsupdate:
+#NSUPDATE_KEY=\"/path/to/update.key\"
+#NSUPDATE_SERVER=\"192.168.0.1\"
+
 #######################
 #######################
 #PowerDNS:
 #PowerDNS:
 #PDNS_Url=\"http://ns.example.com:8081\"
 #PDNS_Url=\"http://ns.example.com:8081\"

+ 50 - 0
dnsapi/README.md

@@ -112,10 +112,60 @@ acme.sh   --issue   --dns dns_pdns   -d example.com  -d www.example.com
 
 
 The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
 The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
 
 
+
 ## Use OVH/kimsufi/soyoustart/runabove API
 ## Use OVH/kimsufi/soyoustart/runabove API
 
 
 https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
 https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
 
 
+## Use nsupdate to automatically issue cert
+
+First, generate a key for updating the zone
+```
+b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
+cat > /etc/named/keys/update.key <<EOF
+key "update" {
+    algorithm hmac-sha512;
+    secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
+};
+EOF
+rm -f /tmp/$b.{private,key}
+```
+
+Include this key in your named configuration
+```
+include "/etc/named/keys/update.key";
+```
+
+Next, configure your zone to allow dynamic updates.
+Depending on your named version, use either
+```
+zone "example.com" {
+    type master;
+    allow-update { key "update"; };
+};
+```
+or
+```
+zone "example.com" {
+    type master;
+    update-policy {
+        grant update subdomain example.com.;
+    };
+}
+```
+Finally, make the dns server and update key available to `acme.sh`
+```
+export NSUPDATE_SERVER=dns.example.com
+export NSUPDATE_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
+```
+
+Ok, let's issue cert now:
+```
+acme.sh   --issue   --dns dns_nsupdate   -d example.com  -d www.example.com
+```
+
+The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf`.
+
 # Use custom api
 # Use custom api
 
 
 If your api is not supported yet,  you can write your own dns api.
 If your api is not supported yet,  you can write your own dns api.

+ 60 - 0
dnsapi/dns_nsupdate.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env sh
+
+
+########  Public functions #####################
+
+#Usage: dns_nsupdate_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_nsupdate_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  # save the dns server and key to the account conf file.
+  _saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
+  _saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
+  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update add ${fulldomain}. 60 in txt "${txtvalue}"
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+  
+  return 0
+}
+
+#Usage: dns_nsupdate_rm   _acme-challenge.www.domain.com
+dns_nsupdate_rm() {
+  fulldomain=$1
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  _info "removing ${fulldomain}. txt"
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update delete ${fulldomain}. txt
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+
+  return 0
+}
+
+
+####################  Private functions bellow ##################################
+
+_checkKeyFile() {
+  if [ -z "${NSUPDATE_KEY}" ]; then
+    _err "you must specify a path to the nsupdate key file"
+    return 1
+  fi
+  if [ ! -r "${NSUPDATE_KEY}" ]; then
+    _err "key ${NSUPDATE_KEY} is unreadable"
+    return 1
+  fi
+}