chore: update lego configs

2025-05-11 18:35:51 +02:00 · 2024-03-25 23:03:42 +08:00 · 2024-03-25 23:03:42 +08:00 · 4289d55562
commit 4289d55562
parent aeed27a2fa
10 changed files with 158 additions and 23 deletions
--- a/internal/cert/config/alidns.toml
+++ b/internal/cert/config/alidns.toml
@ -29,5 +29,5 @@ lego --email you@example.com --dns alidns --domains my.example.org run
    ALICLOUD_HTTP_TIMEOUT = "API request timeout"

 [Links]
-  API = "https://www.alibabacloud.com/help/doc-detail/42875.htm"
+  API = "https://www.alibabacloud.com/help/en/alibaba-cloud-dns/latest/api-alidns-2015-01-09-dir-parsing-records"
  GoClient = "https://github.com/aliyun/alibaba-cloud-sdk-go"
--- a/internal/cert/config/azuredns.toml
+++ b/internal/cert/config/azuredns.toml
@ -27,15 +27,12 @@ lego --domains example.com --email your_example@email.com --dns azuredns run
 ### Using Managed Identity (Azure VM)

 AZURE_TENANT_ID=<your service principal tenant ID> \
-AZURE_SUBSCRIPTION_ID=<your target zone subscription ID> \
 AZURE_RESOURCE_GROUP=<your target zone resource group name> \
 lego --domains example.com --email your_example@email.com --dns azuredns run

 ### Using Managed Identity (Azure Arc)

 AZURE_TENANT_ID=<your service principal tenant ID> \
-AZURE_SUBSCRIPTION_ID=<your target zone subscription ID> \
-AZURE_RESOURCE_GROUP=<your target zone resource group name> \
 IMDS_ENDPOINT=http://localhost:40342 \
 IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token \
 lego --domains example.com --email your_example@email.com --dns azuredns run
@ -61,6 +58,22 @@ Link:

 ### Environment variables

+#### Service Discovery
+
+Lego automatically finds all visible Azure (private) DNS zones using [Azure ResourceGraph query](https://learn.microsoft.com/en-us/azure/governance/resource-graph/).
+This can be limited by specifying environment variable `AZURE_SUBSCRIPTION_ID` and/or `AZURE_RESOURCE_GROUP` which limits the
+DNS zones to only a subscription or to one resourceGroup.
+
+Additionally environment variable `AZURE_SERVICEDISCOVERY_FILTER` can be used to filter DNS zones with an addition Kusto filter eg:
+
+```
+resources
+| where type =~ "microsoft.network/dnszones"
+| ${AZURE_SERVICEDISCOVERY_FILTER}
+| project subscriptionId, resourceGroup, name
+```
+
+
 #### Client secret

 The Azure Credentials can be configured using the following environment variables:
@ -68,7 +81,7 @@ The Azure Credentials can be configured using the following environment variable
 * AZURE_CLIENT_SECRET = "Client secret"
 * AZURE_TENANT_ID = "Tenant ID"

-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `env`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `env`.

 #### Client certificate

@ -77,7 +90,7 @@ The Azure Credentials can be configured using the following environment variable
 * AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path"
 * AZURE_TENANT_ID = "Tenant ID"

-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `env`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `env`.

 ### Workload identity

@ -88,12 +101,12 @@ This must be configured in kubernetes workload deployment in one hand and on the
 Here is a summary of the steps to follow to use it :
 * create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`.
 * on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`.
-* create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL  and add the namespace and name of your kubernetes service account.
+* create a federated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL  and add the namespace and name of your kubernetes service account.

 Link :
 - [Azure AD Workload identity](https://azure.github.io/azure-workload-identity/docs/topics/service-account-labels-and-annotations.html)

-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `wli`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `wli`.

 ### Azure Managed Identity

@ -128,9 +141,9 @@ az role assignment create \
 ```

 A timeout wrapper is configured for this authentication method.
-The duraction can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`.
+The duration can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`.
 The default timeout is 2 seconds.
-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`.

 #### Azure Managed Identity (with Azure Arc)

@ -144,9 +157,9 @@ you may need to set the environment variables:
 * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token`

 A timeout wrapper is configured for this authentication method.
-The duraction can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`.
+The duration can be configured by setting the `AZURE_AUTH_MSI_TIMEOUT`.
 The default timeout is 2 seconds.
-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `msi`.

 ### Azure CLI

@ -154,7 +167,7 @@ The Azure CLI is a command-line tool provided by Microsoft to interact with Azur
 It provides an easy way to authenticate by simply running `az login` command.
 The generated token will be cached by default in the `~/.azure` folder.

-This authentication method can be specificaly used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.
+This authentication method can be specifically used by setting the `AZURE_AUTH_METHOD` environment variable to `cli`.

 ### Open ID Connect

@ -169,10 +182,11 @@ It can be enabled by setting the `AZURE_AUTH_METHOD` environment variable to `oi
    AZURE_CLIENT_SECRET = "Client secret"
    AZURE_TENANT_ID = "Tenant ID"
    AZURE_CLIENT_CERTIFICATE_PATH = "Client certificate path"
-    AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID"
-    AZURE_RESOURCE_GROUP = "DNS zone resource group"
  [Configuration.Additional]
    AZURE_ENVIRONMENT = "Azure environment, one of: public, usgovernment, and china"
+    AZURE_SUBSCRIPTION_ID = "DNS zone subscription ID"
+    AZURE_RESOURCE_GROUP = "DNS zone resource group"
+    AZURE_SERVICEDISCOVERY_FILTER = "Advanced ServiceDiscovery filter using Kusto query condition"
    AZURE_PRIVATE_ZONE = "Set to true to use Azure Private DNS Zones and not public"
    AZURE_ZONE_NAME = "Zone name to use inside Azure DNS service to add the TXT record in"
    AZURE_AUTH_METHOD = "Specify which authentication method to use"
--- a/internal/cert/config/cpanel.toml
+++ b/internal/cert/config/cpanel.toml
@ -0,0 +1,39 @@
+Name = "CPanel/WHM"
+Description = ''''''
+URL = "https://cpanel.net/"
+Code = "cpanel"
+Since = "v4.16.0"
+
+Example = '''
+### CPANEL (default)
+
+CPANEL_USERNAME = "yyyy"
+CPANEL_TOKEN = "xxxx"
+CPANEL_BASE_URL = "https://example.com:2083" \
+lego --email you@example.com --dns cpanel --domains my.example.org run
+
+## WHM
+
+CPANEL_MODE = whm
+CPANEL_USERNAME = "yyyy"
+CPANEL_TOKEN = "xxxx"
+CPANEL_BASE_URL = "https://example.com:2087" \
+lego --email you@example.com --dns cpanel --domains my.example.org run
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    CPANEL_USERNAME = "username"
+    CPANEL_TOKEN = "API token"
+    CPANEL_BASE_URL = "API server URL"
+  [Configuration.Additional]
+    CPANEL_MODE = "use cpanel API or WHM API (Default: cpanel)"
+    CPANEL_POLLING_INTERVAL = "Time between DNS propagation check"
+    CPANEL_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    CPANEL_TTL = "The TTL of the TXT record used for the DNS challenge"
+    CPANEL_HTTP_TIMEOUT = "API request timeout"
+    CPANEL_REGION = "The region"
+
+[Links]
+  API_CPANEL = "https://api.docs.cpanel.net/cpanel/introduction/"
+  API_WHM = "https://api.docs.cpanel.net/whm/introduction/"
--- a/internal/cert/config/gcloud.toml
+++ b/internal/cert/config/gcloud.toml
@ -21,6 +21,7 @@ GCE_PROJECT="gc-project-id" GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.
    GCE_SERVICE_ACCOUNT = "Account"
  [Configuration.Additional]
    GCE_ALLOW_PRIVATE_ZONE = "Allows requested domain to be in private DNS zone, works only with a private ACME server (by default: false)"
+    GCE_ZONE_ID = "Allows to skip the automatic detection of the zone"
    GCE_POLLING_INTERVAL = "Time between DNS propagation check"
    GCE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
    GCE_TTL = "The TTL of the TXT record used for the DNS challenge"
--- a/internal/cert/config/mailinabox.toml
+++ b/internal/cert/config/mailinabox.toml
@ -0,0 +1,24 @@
+Name = "Mail-in-a-Box"
+Description = ''''''
+URL = "https://mailinabox.email"
+Code = "mailinabox"
+Since = "v4.16.0"
+
+Example = '''
+MAILINABOX_EMAIL=user@example.com \
+MAILINABOX_PASSWORD=yyyy \
+MAILINABOX_BASE_URL=https://box.example.com \
+lego --email you@example.com --dns mailinabox --domains my.example.org run
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    MAILINABOX_EMAIL = "User email"
+    MAILINABOX_PASSWORD = "User password"
+    MAILINABOX_BASE_URL = "Base API URL (ex: https://box.example.com)"
+  [Configuration.Additional]
+    MAILINABOX_POLLING_INTERVAL = "Time between DNS propagation check"
+    MAILINABOX_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+
+[Links]
+  API = "https://mailinabox.email/api-docs.html"
--- a/internal/cert/config/pdns.toml
+++ b/internal/cert/config/pdns.toml
@ -18,6 +18,7 @@ Tested and confirmed to work with PowerDNS authoritative server 3.4.8 and 4.0.1.
 PowerDNS Notes:
 - PowerDNS API does not currently support SSL, therefore you should take care to ensure that traffic between lego and the PowerDNS API is over a trusted network, VPN etc.
 - In order to have the SOA serial automatically increment each time the `_acme-challenge` record is added/modified via the API, set `SOA-EDIT-API` to `INCEPTION-INCREMENT` for the zone in the `domainmetadata` table
+- Some PowerDNS servers doesn't have root API endpoints enabled and API version autodetection will not work. In that case version number can be defined using `PDNS_API_VERSION`.
 '''

 [Configuration]
@ -25,11 +26,12 @@ PowerDNS Notes:
    PDNS_API_KEY = "API key"
    PDNS_API_URL = "API URL"
  [Configuration.Additional]
+    PDNS_SERVER_NAME = "Name of the server in the URL, 'localhost' by default"
+    PDNS_API_VERSION = "Skip API version autodetection and use the provided version number."
    PDNS_POLLING_INTERVAL = "Time between DNS propagation check"
    PDNS_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
    PDNS_TTL = "The TTL of the TXT record used for the DNS challenge"
    PDNS_HTTP_TIMEOUT = "API request timeout"
-    PDNS_SERVER_NAME = "Name of the server in the URL, 'localhost' by default"

 [Links]
  API = "https://doc.powerdns.com/md/httpapi/README/"
--- a/internal/cert/config/route53.toml
+++ b/internal/cert/config/route53.toml
@ -9,7 +9,7 @@ AWS_ACCESS_KEY_ID=your_key_id \
 AWS_SECRET_ACCESS_KEY=your_secret_access_key \
 AWS_REGION=aws-region \
 AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
- --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run
+lego --domains example.com --email your_example@email.com --dns route53 --accept-tos=true run
 '''

 Additional = '''
--- a/internal/cert/config/scaleway.toml
+++ b/internal/cert/config/scaleway.toml
@ -5,18 +5,19 @@ Code = "scaleway"
 Since = "v3.4.0"

 Example = '''
-SCALEWAY_API_TOKEN=xxxxxxx-xxxxx-xxxx-xxx-xxxxxx \
+SCW_SECRET_KEY=xxxxxxx-xxxxx-xxxx-xxx-xxxxxx \
 lego --email you@example.com --dns scaleway --domains my.example.org run
 '''

 [Configuration]
  [Configuration.Credentials]
-    SCALEWAY_API_TOKEN = "API token"
-    SCALEWAY_PROJECT_ID = "Project to use (optional)"
+    SCW_SECRET_KEY = "Secret key"
+    SCW_PROJECT_ID = "Project to use (optional)"
  [Configuration.Additional]
-    SCALEWAY_POLLING_INTERVAL = "Time between DNS propagation check"
-    SCALEWAY_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
-    SCALEWAY_TTL = "The TTL of the TXT record used for the DNS challenge"
+    SCW_ACCESS_KEY = "Access key"
+    SCW_POLLING_INTERVAL = "Time between DNS propagation check"
+    SCW_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    SCW_TTL = "The TTL of the TXT record used for the DNS challenge"

 [Links]
  API = "https://developers.scaleway.com/en/products/domain/dns/api/"
--- a/internal/cert/config/shellrent.toml
+++ b/internal/cert/config/shellrent.toml
@ -0,0 +1,24 @@
+Name = "Shellrent"
+Description = ''''''
+URL = "https://www.shellrent.com/"
+Code = "shellrent"
+Since = "v4.16.0"
+
+Example = '''
+SHELLRENT_USERNAME=xxxx \
+SHELLRENT_TOKEN=yyyy \
+lego --email you@example.com --dns shellrent --domains my.example.org run
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    SHELLRENT_USERNAME = "Username"
+    SHELLRENT_TOKEN = "Token"
+  [Configuration.Additional]
+    SHELLRENT_POLLING_INTERVAL = "Time between DNS propagation check"
+    SHELLRENT_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    SHELLRENT_TTL = "The TTL of the TXT record used for the DNS challenge"
+    SHELLRENT_HTTP_TIMEOUT = "API request timeout"
+
+[Links]
+  API = "https://api.shellrent.com/section/api2"
--- a/internal/cert/config/webnames.toml
+++ b/internal/cert/config/webnames.toml
@ -0,0 +1,30 @@
+Name = "Webnames"
+Description = ''''''
+URL = "https://www.webnames.ru/"
+Code = "webnames"
+Since = "v4.15.0"
+
+Example = '''
+WEBNAMES_API_KEY=xxxxxx \
+lego --email you@example.com --dns webnames --domains my.example.org run
+'''
+
+Additional = '''
+## API Key
+
+To obtain the key, you need to change the DNS server to `*.nameself.com`: Personal account / My domains and services / Select the required domain / DNS servers
+
+The API key can be found: Personal account / My domains and services / Select the required domain / Zone management / acme.sh or certbot settings
+'''
+
+[Configuration]
+  [Configuration.Credentials]
+    WEBNAMES_API_KEY = "Domain API key"
+  [Configuration.Additional]
+    WEBNAMES_POLLING_INTERVAL = "Time between DNS propagation check"
+    WEBNAMES_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
+    WEBNAMES_TTL = "The TTL of the TXT record used for the DNS challenge"
+    WEBNAMES_HTTP_TIMEOUT = "API request timeout"
+
+[Links]
+  API = "https://github.com/regtime-ltd/certbot-dns-webnames"