From 4289d555629524b62d9da3d1b3b638727e19ab13 Mon Sep 17 00:00:00 2001 From: Jacky Date: Mon, 25 Mar 2024 23:03:42 +0800 Subject: [PATCH] chore: update lego configs --- internal/cert/config/alidns.toml | 2 +- internal/cert/config/azuredns.toml | 42 ++++++++++++++++++---------- internal/cert/config/cpanel.toml | 39 ++++++++++++++++++++++++++ internal/cert/config/gcloud.toml | 1 + internal/cert/config/mailinabox.toml | 24 ++++++++++++++++ internal/cert/config/pdns.toml | 4 ++- internal/cert/config/route53.toml | 2 +- internal/cert/config/scaleway.toml | 13 +++++---- internal/cert/config/shellrent.toml | 24 ++++++++++++++++ internal/cert/config/webnames.toml | 30 ++++++++++++++++++++ 10 files changed, 158 insertions(+), 23 deletions(-) create mode 100644 internal/cert/config/cpanel.toml create mode 100644 internal/cert/config/mailinabox.toml create mode 100644 internal/cert/config/shellrent.toml create mode 100644 internal/cert/config/webnames.toml diff --git a/internal/cert/config/alidns.toml b/internal/cert/config/alidns.toml index e7edf1ec..87530744 100644 --- a/internal/cert/config/alidns.toml +++ b/internal/cert/config/alidns.toml @@ -29,5 +29,5 @@ lego --email you@example.com --dns alidns --domains my.example.org run ALICLOUD_HTTP_TIMEOUT = "API request timeout" [Links] - API = "https://www.alibabacloud.com/help/doc-detail/42875.htm" + API = "https://www.alibabacloud.com/help/en/alibaba-cloud-dns/latest/api-alidns-2015-01-09-dir-parsing-records" GoClient = "https://github.com/aliyun/alibaba-cloud-sdk-go" diff --git a/internal/cert/config/azuredns.toml b/internal/cert/config/azuredns.toml index 745b4438..7cd1b581 100644 --- a/internal/cert/config/azuredns.toml +++ b/internal/cert/config/azuredns.toml @@ -27,15 +27,12 @@ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure VM) AZURE_TENANT_ID= \ -AZURE_SUBSCRIPTION_ID= \ AZURE_RESOURCE_GROUP= \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure Arc) AZURE_TENANT_ID= \ -AZURE_SUBSCRIPTION_ID= \ -AZURE_RESOURCE_GROUP= \ IMDS_ENDPOINT=http://localhost:40342 \ IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token \ lego --domains example.com --email your_example@email.com --dns azuredns run @@ -61,6 +58,22 @@ Link: ### Environment variables +#### Service Discovery + +Lego automatically finds all visible Azure (private) DNS zones using [Azure ResourceGraph query](https://learn.microsoft.com/en-us/azure/governance/resource-graph/). +This can be limited by specifying environment variable `AZURE_SUBSCRIPTION_ID` and/or `AZURE_RESOURCE_GROUP` which limits the +DNS zones to only a subscription or to one resourceGroup. + +Additionally environment variable `AZURE_SERVICEDISCOVERY_FILTER` can be used to filter DNS zones with an addition Kusto filter eg: + +``` +resources +| where type =~ "microsoft.network/dnszones" +| ${AZURE_SERVICEDISCOVERY_FILTER} +| project subscriptionId, resourceGroup, name +``` + + #### Client secret The Azure Credentials can be configured using the following environment variables: @@ -68,7 +81,7 @@ The Azure Credentials can be configured using the following environment variable * AZURE_CLIENT_SECRET = "Client secret" * AZURE_TENANT_ID = "Tenant ID" -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `env`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `env`. #### Client certificate @@ -77,7 +90,7 @@ The Azure Credentials can be configured using the following environment variable * AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path" * AZURE_TENANT_ID = "Tenant ID" -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `env`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `env`. ### Workload identity @@ -88,12 +101,12 @@ This must be configured in kubernetes workload deployment in one hand and on the Here is a summary of the steps to follow to use it : * create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. * on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`. -* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL and add the namespace and name of your kubernetes service account. +* create a federated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL and add the namespace and name of your kubernetes service account. Link : - [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html) -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `wli`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `wli`. ### Azure Managed Identity @@ -128,9 +141,9 @@ az role assignment create \ ``` A timeout wrapper is configured for this authentication method. -The duraction can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`. +The duration can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`. The default timeout is 2 seconds. -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`. #### Azure Managed Identity (with Azure Arc) @@ -144,9 +157,9 @@ you may need to set the environment variables: * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token` A timeout wrapper is configured for this authentication method. -The duraction can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`. +The duration can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`. The default timeout is 2 seconds. -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`. ### Azure CLI @@ -154,7 +167,7 @@ The Azure CLI is a command-line tool provided by Microsoft to interact with Azur It provides an easy way to authenticate by simply running `az login` command. The generated token will be cached by default in the `~/.azure` folder. -This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`. +This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`. ### Open ID Connect @@ -169,10 +182,11 @@ It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oi AZURE_CLIENT_SECRET = "Client secret" AZURE_TENANT_ID = "Tenant ID" AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path" - AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID" - AZURE_RESOURCE_GROUP = "DNS zone resource group" [Configuration.Additional] AZURE_ENVIRONMENT = "Azure environment, one of: public, usgovernment, and china" + AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID" + AZURE_RESOURCE_GROUP = "DNS zone resource group" + AZURE_SERVICEDISCOVERY_FILTER = "Advanced ServiceDiscovery filter using Kusto query condition" AZURE_PRIVATE_ZONE = "Set to true to use Azure Private DNS Zones and not public" AZURE_ZONE_NAME = "Zone name to use inside Azure DNS service to add the TXT record in" AZURE_AUTH_METHOD = "Specify which authentication method to use" diff --git a/internal/cert/config/cpanel.toml b/internal/cert/config/cpanel.toml new file mode 100644 index 00000000..eac811ef --- /dev/null +++ b/internal/cert/config/cpanel.toml @@ -0,0 +1,39 @@ +Name = "CPanel/WHM" +Description = '''''' +URL = "https://cpanel.net/" +Code = "cpanel" +Since = "v4.16.0" + +Example = ''' +### CPANEL (default) + +CPANEL_USERNAME = "yyyy" +CPANEL_TOKEN = "xxxx" +CPANEL_BASE_URL = "https://example.com:2083" \ +lego --email you@example.com --dns cpanel --domains my.example.org run + +## WHM + +CPANEL_MODE = whm +CPANEL_USERNAME = "yyyy" +CPANEL_TOKEN = "xxxx" +CPANEL_BASE_URL = "https://example.com:2087" \ +lego --email you@example.com --dns cpanel --domains my.example.org run +''' + +[Configuration] + [Configuration.Credentials] + CPANEL_USERNAME = "username" + CPANEL_TOKEN = "API token" + CPANEL_BASE_URL = "API server URL" + [Configuration.Additional] + CPANEL_MODE = "use cpanel API or WHM API (Default: cpanel)" + CPANEL_POLLING_INTERVAL = "Time between DNS propagation check" + CPANEL_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" + CPANEL_TTL = "The TTL of the TXT record used for the DNS challenge" + CPANEL_HTTP_TIMEOUT = "API request timeout" + CPANEL_REGION = "The region" + +[Links] + API_CPANEL = "https://api.docs.cpanel.net/cpanel/introduction/" + API_WHM = "https://api.docs.cpanel.net/whm/introduction/" diff --git a/internal/cert/config/gcloud.toml b/internal/cert/config/gcloud.toml index c08824b9..261e35b9 100644 --- a/internal/cert/config/gcloud.toml +++ b/internal/cert/config/gcloud.toml @@ -21,6 +21,7 @@ GCE_PROJECT="gc-project-id" GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file. GCE_SERVICE_ACCOUNT = "Account" [Configuration.Additional] GCE_ALLOW_PRIVATE_ZONE = "Allows requested domain to be in private DNS zone, works only with a private ACME server (by default: false)" + GCE_ZONE_ID = "Allows to skip the automatic detection of the zone" GCE_POLLING_INTERVAL = "Time between DNS propagation check" GCE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" GCE_TTL = "The TTL of the TXT record used for the DNS challenge" diff --git a/internal/cert/config/mailinabox.toml b/internal/cert/config/mailinabox.toml new file mode 100644 index 00000000..fdfef081 --- /dev/null +++ b/internal/cert/config/mailinabox.toml @@ -0,0 +1,24 @@ +Name = "Mail-in-a-Box" +Description = '''''' +URL = "https://mailinabox.email" +Code = "mailinabox" +Since = "v4.16.0" + +Example = ''' +MAILINABOX_EMAIL=user@example.com \ +MAILINABOX_PASSWORD=yyyy \ +MAILINABOX_BASE_URL=https://box.example.com \ +lego --email you@example.com --dns mailinabox --domains my.example.org run +''' + +[Configuration] + [Configuration.Credentials] + MAILINABOX_EMAIL = "User email" + MAILINABOX_PASSWORD = "User password" + MAILINABOX_BASE_URL = "Base API URL (ex: https://box.example.com)" + [Configuration.Additional] + MAILINABOX_POLLING_INTERVAL = "Time between DNS propagation check" + MAILINABOX_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" + +[Links] + API = "https://mailinabox.email/api-docs.html" diff --git a/internal/cert/config/pdns.toml b/internal/cert/config/pdns.toml index f1209e4a..a59c02cd 100644 --- a/internal/cert/config/pdns.toml +++ b/internal/cert/config/pdns.toml @@ -18,6 +18,7 @@ Tested and confirmed to work with PowerDNS authoritative server 3.4.8 and 4.0.1. PowerDNS Notes: - PowerDNS API does not currently support SSL, therefore you should take care to ensure that traffic between lego and the PowerDNS API is over a trusted network, VPN etc. - In order to have the SOA serial automatically increment each time the `_acme-challenge` record is added/modified via the API, set `SOA-EDIT-API` to `INCEPTION-INCREMENT` for the zone in the `domainmetadata` table +- Some PowerDNS servers doesn't have root API endpoints enabled and API version autodetection will not work. In that case version number can be defined using `PDNS_API_VERSION`. ''' [Configuration] @@ -25,11 +26,12 @@ PowerDNS Notes: PDNS_API_KEY = "API key" PDNS_API_URL = "API URL" [Configuration.Additional] + PDNS_SERVER_NAME = "Name of the server in the URL, 'localhost' by default" + PDNS_API_VERSION = "Skip API version autodetection and use the provided version number." PDNS_POLLING_INTERVAL = "Time between DNS propagation check" PDNS_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" PDNS_TTL = "The TTL of the TXT record used for the DNS challenge" PDNS_HTTP_TIMEOUT = "API request timeout" - PDNS_SERVER_NAME = "Name of the server in the URL, 'localhost' by default" [Links] API = "https://doc.powerdns.com/md/httpapi/README/" diff --git a/internal/cert/config/route53.toml b/internal/cert/config/route53.toml index d253b540..f16541e3 100644 --- a/internal/cert/config/route53.toml +++ b/internal/cert/config/route53.toml @@ -9,7 +9,7 @@ AWS_ACCESS_KEY_ID=your_key_id \ AWS_SECRET_ACCESS_KEY=your_secret_access_key \ AWS_REGION=aws-region \ AWS_HOSTED_ZONE_ID=your_hosted_zone_id \ - --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run +lego --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run ''' Additional = ''' diff --git a/internal/cert/config/scaleway.toml b/internal/cert/config/scaleway.toml index bbcdb75a..569c032f 100644 --- a/internal/cert/config/scaleway.toml +++ b/internal/cert/config/scaleway.toml @@ -5,18 +5,19 @@ Code = "scaleway" Since = "v3.4.0" Example = ''' -SCALEWAY_API_TOKEN=xxxxxxx-xxxxx-xxxx-xxx-xxxxxx \ +SCW_SECRET_KEY=xxxxxxx-xxxxx-xxxx-xxx-xxxxxx \ lego --email you@example.com --dns scaleway --domains my.example.org run ''' [Configuration] [Configuration.Credentials] - SCALEWAY_API_TOKEN = "API token" - SCALEWAY_PROJECT_ID = "Project to use (optional)" + SCW_SECRET_KEY = "Secret key" + SCW_PROJECT_ID = "Project to use (optional)" [Configuration.Additional] - SCALEWAY_POLLING_INTERVAL = "Time between DNS propagation check" - SCALEWAY_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" - SCALEWAY_TTL = "The TTL of the TXT record used for the DNS challenge" + SCW_ACCESS_KEY = "Access key" + SCW_POLLING_INTERVAL = "Time between DNS propagation check" + SCW_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" + SCW_TTL = "The TTL of the TXT record used for the DNS challenge" [Links] API = "https://developers.scaleway.com/en/products/domain/dns/api/" diff --git a/internal/cert/config/shellrent.toml b/internal/cert/config/shellrent.toml new file mode 100644 index 00000000..5c63db19 --- /dev/null +++ b/internal/cert/config/shellrent.toml @@ -0,0 +1,24 @@ +Name = "Shellrent" +Description = '''''' +URL = "https://www.shellrent.com/" +Code = "shellrent" +Since = "v4.16.0" + +Example = ''' +SHELLRENT_USERNAME=xxxx \ +SHELLRENT_TOKEN=yyyy \ +lego --email you@example.com --dns shellrent --domains my.example.org run +''' + +[Configuration] + [Configuration.Credentials] + SHELLRENT_USERNAME = "Username" + SHELLRENT_TOKEN = "Token" + [Configuration.Additional] + SHELLRENT_POLLING_INTERVAL = "Time between DNS propagation check" + SHELLRENT_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" + SHELLRENT_TTL = "The TTL of the TXT record used for the DNS challenge" + SHELLRENT_HTTP_TIMEOUT = "API request timeout" + +[Links] + API = "https://api.shellrent.com/section/api2" diff --git a/internal/cert/config/webnames.toml b/internal/cert/config/webnames.toml new file mode 100644 index 00000000..b42ac3e1 --- /dev/null +++ b/internal/cert/config/webnames.toml @@ -0,0 +1,30 @@ +Name = "Webnames" +Description = '''''' +URL = "https://www.webnames.ru/" +Code = "webnames" +Since = "v4.15.0" + +Example = ''' +WEBNAMES_API_KEY=xxxxxx \ +lego --email you@example.com --dns webnames --domains my.example.org run +''' + +Additional = ''' +## API Key + +To obtain the key, you need to change the DNS server to `*.nameself.com`: Personal account / My domains and services / Select the required domain / DNS servers + +The API key can be found: Personal account / My domains and services / Select the required domain / Zone management / acme.sh or certbot settings +''' + +[Configuration] + [Configuration.Credentials] + WEBNAMES_API_KEY = "Domain API key" + [Configuration.Additional] + WEBNAMES_POLLING_INTERVAL = "Time between DNS propagation check" + WEBNAMES_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" + WEBNAMES_TTL = "The TTL of the TXT record used for the DNS challenge" + WEBNAMES_HTTP_TIMEOUT = "API request timeout" + +[Links] + API = "https://github.com/regtime-ltd/certbot-dns-webnames"