chore: update lego configurations

2025-05-11 02:15:48 +02:00 · 2024-07-20 09:46:19 +08:00 · 2024-07-20 09:46:19 +08:00 · 7a9aa3a33b
commit 7a9aa3a33b
parent 7f3f23d706
5 changed files with 42 additions and 4 deletions
--- a/internal/cert/config/designate.toml
+++ b/internal/cert/config/designate.toml
@ -63,6 +63,7 @@ Public cloud providers with support for Designate:
  [Configuration.Additional]
    OS_PROJECT_ID = "Project ID"
    OS_TENANT_NAME = "Tenant name (deprecated see OS_PROJECT_NAME and OS_PROJECT_ID)"
+    DESIGNATE_ZONE_NAME = "The zone name to use in the OpenStack Project to manage TXT records."
    DESIGNATE_POLLING_INTERVAL = "Time between DNS propagation check"
    DESIGNATE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
    DESIGNATE_TTL = "The TTL of the TXT record used for the DNS challenge"
--- a/internal/cert/config/dode.toml
+++ b/internal/cert/config/dode.toml
@ -20,4 +20,4 @@ lego --email you@example.com --dns dode --domains my.example.org run
    DODE_SEQUENCE_INTERVAL = "Time between sequential requests"

 [Links]
-  API = "https://www.do.de/wiki/LetsEncrypt_-_Entwickler"
+  API = "https://www.do.de/wiki/freie-ssl-tls-zertifikate-ueber-acme/"
--- a/internal/cert/config/godaddy.toml
+++ b/internal/cert/config/godaddy.toml
@ -10,6 +10,15 @@ GODADDY_API_SECRET=yyyyyyyy \
 lego --email you@example.com --dns godaddy --domains my.example.org run
 '''

+Additional = '''
+GoDaddy has recently (2024-04) updated the account requirements to access parts of their production Domains API:
+
+- Availability API: Limited to accounts with 50 or more domains.
+- Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.
+
+https://community.letsencrypt.org/t/getting-unauthorized-url-error-while-trying-to-get-cert-for-subdomains/217329/12
+'''
+
 [Configuration]
  [Configuration.Credentials]
    GODADDY_API_KEY = "API key"
--- a/internal/cert/config/ovh.toml
+++ b/internal/cert/config/ovh.toml
@ -5,11 +5,20 @@ Code = "ovh"
 Since = "v0.4.0"

 Example = '''
+# Application Key authentication:
+
 OVH_APPLICATION_KEY=1234567898765432 \
 OVH_APPLICATION_SECRET=b9841238feb177a84330febba8a832089 \
 OVH_CONSUMER_KEY=256vfsd347245sdfg \
 OVH_ENDPOINT=ovh-eu \
 lego --email you@example.com --dns ovh --domains my.example.org run
+
+# Or OAuth2:
+
+OVH_CLIENT_ID=yyy \
+OVH_CLIENT_SECRET=xxx \
+OVH_ENDPOINT=ovh-eu \
+lego --email you@example.com --dns ovh --domains my.example.org run
 '''

 Additional = '''
@ -33,14 +42,32 @@ When requesting the consumer key, the following configuration can be used to def
  ]
 }
 ```
+
+## OAuth2 Client Credentials
+
+Another method for authentication is by using OAuth2 client credentials.
+
+An IAM policy and service account can be created by following the [OVH guide](https://help.ovhcloud.com/csm/en-manage-service-account?id=kb_article_view&sysparm_article=KB0059343).
+
+Following IAM policies need to be authorized for the affected domain:
+
+* dnsZone:apiovh:record/create
+* dnsZone:apiovh:record/delete
+* dnsZone:apiovh:refresh
+
+## Important Note
+
+Both authentication methods cannot be used at the same time.
 '''

 [Configuration]
  [Configuration.Credentials]
    OVH_ENDPOINT = "Endpoint URL (ovh-eu or ovh-ca)"
-    OVH_APPLICATION_KEY = "Application key"
-    OVH_APPLICATION_SECRET = "Application secret"
-    OVH_CONSUMER_KEY = "Consumer key"
+    OVH_APPLICATION_KEY = "Application key (Application Key authentication)"
+    OVH_APPLICATION_SECRET = "Application secret (Application Key authentication)"
+    OVH_CONSUMER_KEY = "Consumer key (Application Key authentication)"
+    OVH_CLIENT_ID = "Client ID (OAuth2)"
+    OVH_CLIENT_SECRET = "Client secret (OAuth2)"
  [Configuration.Additional]
    OVH_POLLING_INTERVAL = "Time between DNS propagation check"
    OVH_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
--- a/internal/cert/config/route53.toml
+++ b/internal/cert/config/route53.toml
@ -131,6 +131,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with
    AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
    AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)"
    AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
+    AWS_WAIT_FOR_RECORD_SETS_CHANGED = "Wait for changes to be INSYNC (it can be unstable)"
  [Configuration.Additional]
    AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
    AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"