lego/providers/dns/exec/readme.md
Ludovic Fernandez 42941ccea6
Refactor the core of the lib (#700)
- Packages
- Isolate code used by the CLI into the package `cmd`
- (experimental) Add e2e tests for HTTP01, TLS-ALPN-01 and DNS-01, use [Pebble](https://github.com/letsencrypt/pebble) and [challtestsrv](https://github.com/letsencrypt/boulder/tree/master/test/challtestsrv) 
- Support non-ascii domain name (punnycode)
- Check all challenges in a predictable order
- No more global exported variables
- Archive revoked certificates
- Fixes revocation for subdomains and non-ascii domains
- Disable pending authorizations
- use pointer for RemoteError/ProblemDetails
- Poll authz URL instead of challenge URL
- The ability for a DNS provider to solve the challenge sequentially
- Check all nameservers in a predictable order
- Option to disable the complete propagation Requirement
- CLI, support for renew with CSR
- CLI, add SAN on renew
- Add command to list certificates.
- Logs every iteration of waiting for the propagation
- update DNSimple client
- update github.com/miekg/dns
2018-12-06 22:50:17 +01:00

2.9 KiB

Execute an external program

Solving the DNS-01 challenge using an external program.

Description

The file name of the external program is specified in the environment variable EXEC_PATH.

When it is run by lego, three command-line parameters are passed to it: The action ("present" or "cleanup"), the fully-qualified domain name and the value for the record.

For example, requesting a certificate for the domain 'foo.example.com' can be achieved by calling lego as follows:

EXEC_PATH=./update-dns.sh \
	lego --dns exec \
	--domains foo.example.com \
	--email invalid@example.com run

It will then call the program './update-dns.sh' with like this:

./update-dns.sh "present" "_acme-challenge.foo.example.com." "MsijOYZxqyjGnFGwhjrhfg-Xgbl5r68WPda0J9EgqqI"

The program then needs to make sure the record is inserted. When it returns an error via a non-zero exit code, lego aborts.

When the record is to be removed again, the program is called with the first command-line parameter set to cleanup instead of present.

If you want to use the raw domain, token, and keyAuth values with your program, you can set EXEC_MODE=RAW:

EXEC_MODE=RAW \
EXEC_PATH=./update-dns.sh \
	lego --dns exec \
	--domains foo.example.com \
	--email invalid@example.com run

It will then call the program ./update-dns.sh like this:

./update-dns.sh "present" "foo.example.com." "--" "some-token" "KxAy-J3NwUmg9ZQuM-gP_Mq1nStaYSaP9tYQs5_-YsE.ksT-qywTd8058G-SHHWA3RAN72Pr0yWtPYmmY5UBpQ8"

Commands

Present

Mode Command
default myprogram present -- <FQDN> <record>
RAW myprogram present -- <domain> <token> <key_auth>

Cleanup

Mode Command
default myprogram cleanup -- <FQDN> <record>
RAW myprogram cleanup -- <domain> <token> <key_auth>

Timeout

The command have to display propagation timeout and polling interval into Stdout.

The values must be formatted as JSON, and times are in seconds. Example: {"timeout": 30, "interval": 5}

If an error occurs or if the command is not provided: the default display propagation timeout and polling interval are used.

Mode Command
default myprogram timeout
RAW myprogram timeout

NOTE

The -- is because the token MAY start with a -, and the called program may try and interpret a - as indicating a flag.

In the case of urfave, which is commonly used, you can use the -- delimiter to specify the start of positional arguments, and handle such a string safely.