Hook script for Let's Encrypt (dehydrated)

Integration in devices/software
#1

Hello, I created a small hook script for the bash based ACME/Let’s Encrypt client dehydrated.

The hooks script utilizes the dynv6.com REST API to deploy challenge-response tokens straight to your zone’s DNS records. By solving these DNS-01 challenges, you can prove that you control a given domain without deploying an HTTP response.

This is great for non-web services or certificates that are meant for use with internal services. Also, this gives you the possibility to create valid wild card certificates.

I welcome issues to and pull requests against the repo or any feedback :wink:

You can check it out at: https://github.com/movd/dynv6-dehydrated-hook

#2

@moritz
Thanks for providing the hook script.

I also managed to get it working for a wildcard certificate which includes
*.abc.dynv6.net and abc.dynv6.net

However, the dehydrated script sometimes fails because it could not solve the second challenge.
I can see two TXT records with the acme challenges are placed in the abc.dynv6.net zone.

Any idea why this happens?

#3

This is a bit flaky. I use the hook in combination with a delegated top-level domain. In my cron logs, I see that in January one time, it looked like below. Is this similar to your errors?

 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for abc.mytld.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Hook: Deploying Token to dynv6.com for ""
 + Hook: Sending payload to dynv6.com: {"name":"_acme-challenge","data":"","type":"TXT"}
 + Hook: DNS entry added successfully, waiting for propagation...
 + Responding to challenge for abc.mytld.com authorization...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Cleaning challenge tokens...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Hook: Cleaning up challenge responses for ""
 + Hook: Successfully deleted token at dynv6.com
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "No TXT record found at _acme-challenge.abc.mytld.com",
    "status": 403
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/144928045/iVM8uw",
  "token": "obM8cJu-TGzMDoipU_cxV7bsUptZX2zMABKyr7zKZJo"
})

It looks like that somehow dehydrated did not pass the $DOMAIN. $DOMAIN is the first parameter ${2} passed from the ACME client.

The next time around, the whole process worked fine…

#4

Hi there, I would like to use the script, but, after reading the README.md on github, still unsure about a couple of things:

  • do I need 3 files, the hook.sh Script, a config file and an .env file? Or is it only 2? The .env file needs to be placed in the same directory as the shell script, but where does the config file go?

  • which variables need to go into which file? All I know so far is that CA, CHALLENGETYPE and HOOK (as a minimum?) need to go into the config file and DYNV6_TOKEN and DYNV6_ZONEID into the .env file.

Having all the required information and having put everything in the right place, is anything else needed (apart from dnsutils and jq, which I have installed already)? And how do I get the hook - I mean, what is it all about?

Thanks for any help :slight_smile: