Hook script for Let's Encrypt (dehydrated)

Hello, I created a small hook script for the bash based ACME/Let’s Encrypt client dehydrated.

The hooks script utilizes the dynv6.com REST API to deploy challenge-response tokens straight to your zone’s DNS records. By solving these DNS-01 challenges, you can prove that you control a given domain without deploying an HTTP response.

This is great for non-web services or certificates that are meant for use with internal services. Also, this gives you the possibility to create valid wild card certificates.

I welcome issues to and pull requests against the repo or any feedback :wink:

You can check it out at: https://github.com/movd/dynv6-dehydrated-hook

@moritz
Thanks for providing the hook script.

I also managed to get it working for a wildcard certificate which includes
*.abc.dynv6.net and abc.dynv6.net

However, the dehydrated script sometimes fails because it could not solve the second challenge.
I can see two TXT records with the acme challenges are placed in the abc.dynv6.net zone.

Any idea why this happens?

This is a bit flaky. I use the hook in combination with a delegated top-level domain. In my cron logs, I see that in January one time, it looked like below. Is this similar to your errors?

 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for abc.mytld.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Hook: Deploying Token to dynv6.com for ""
 + Hook: Sending payload to dynv6.com: {"name":"_acme-challenge","data":"","type":"TXT"}
 + Hook: DNS entry added successfully, waiting for propagation...
 + Responding to challenge for abc.mytld.com authorization...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Cleaning challenge tokens...
 + Hook: Environment Variables set from /var/lib/dehydrated/dynv6-dehydrated-hook/.env
 + Hook: Cleaning up challenge responses for ""
 + Hook: Successfully deleted token at dynv6.com
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "No TXT record found at _acme-challenge.abc.mytld.com",
    "status": 403
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/144928045/iVM8uw",
  "token": "obM8cJu-TGzMDoipU_cxV7bsUptZX2zMABKyr7zKZJo"
})

It looks like that somehow dehydrated did not pass the $DOMAIN. $DOMAIN is the first parameter ${2} passed from the ACME client.

The next time around, the whole process worked fine…