From 7a9aa3a33bc8be465032e541e965d62d7f6cec85 Mon Sep 17 00:00:00 2001 From: Jacky Date: Sat, 20 Jul 2024 09:46:19 +0800 Subject: [PATCH] chore: update lego configurations --- internal/cert/config/designate.toml | 1 + internal/cert/config/dode.toml | 2 +- internal/cert/config/godaddy.toml | 9 ++++++++ internal/cert/config/ovh.toml | 33 ++++++++++++++++++++++++++--- internal/cert/config/route53.toml | 1 + 5 files changed, 42 insertions(+), 4 deletions(-) diff --git a/internal/cert/config/designate.toml b/internal/cert/config/designate.toml index 55a1cd3c..2681df70 100644 --- a/internal/cert/config/designate.toml +++ b/internal/cert/config/designate.toml @@ -63,6 +63,7 @@ Public cloud providers with support for Designate: [Configuration.Additional] OS_PROJECT_ID = "Project ID" OS_TENANT_NAME = "Tenant name (deprecated see OS_PROJECT_NAME and OS_PROJECT_ID)" + DESIGNATE_ZONE_NAME = "The zone name to use in the OpenStack Project to manage TXT records." DESIGNATE_POLLING_INTERVAL = "Time between DNS propagation check" DESIGNATE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" DESIGNATE_TTL = "The TTL of the TXT record used for the DNS challenge" diff --git a/internal/cert/config/dode.toml b/internal/cert/config/dode.toml index b4f8ff03..c352d249 100644 --- a/internal/cert/config/dode.toml +++ b/internal/cert/config/dode.toml @@ -20,4 +20,4 @@ lego --email you@example.com --dns dode --domains my.example.org run DODE_SEQUENCE_INTERVAL = "Time between sequential requests" [Links] - API = "https://www.do.de/wiki/LetsEncrypt_-_Entwickler" + API = "https://www.do.de/wiki/freie-ssl-tls-zertifikate-ueber-acme/" diff --git a/internal/cert/config/godaddy.toml b/internal/cert/config/godaddy.toml index b43a0f0d..5983b0c0 100644 --- a/internal/cert/config/godaddy.toml +++ b/internal/cert/config/godaddy.toml @@ -10,6 +10,15 @@ GODADDY_API_SECRET=yyyyyyyy \ lego --email you@example.com --dns godaddy --domains my.example.org run ''' +Additional = ''' +GoDaddy has recently (2024-04) updated the account requirements to access parts of their production Domains API: + +- Availability API: Limited to accounts with 50 or more domains. +- Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan. + +https://community.letsencrypt.org/t/getting-unauthorized-url-error-while-trying-to-get-cert-for-subdomains/217329/12 +''' + [Configuration] [Configuration.Credentials] GODADDY_API_KEY = "API key" diff --git a/internal/cert/config/ovh.toml b/internal/cert/config/ovh.toml index ddd51d2c..1597d280 100644 --- a/internal/cert/config/ovh.toml +++ b/internal/cert/config/ovh.toml @@ -5,11 +5,20 @@ Code = "ovh" Since = "v0.4.0" Example = ''' +# Application Key authentication: + OVH_APPLICATION_KEY=1234567898765432 \ OVH_APPLICATION_SECRET=b9841238feb177a84330febba8a832089 \ OVH_CONSUMER_KEY=256vfsd347245sdfg \ OVH_ENDPOINT=ovh-eu \ lego --email you@example.com --dns ovh --domains my.example.org run + +# Or OAuth2: + +OVH_CLIENT_ID=yyy \ +OVH_CLIENT_SECRET=xxx \ +OVH_ENDPOINT=ovh-eu \ +lego --email you@example.com --dns ovh --domains my.example.org run ''' Additional = ''' @@ -33,14 +42,32 @@ When requesting the consumer key, the following configuration can be used to def ] } ``` + +## OAuth2 Client Credentials + +Another method for authentication is by using OAuth2 client credentials. + +An IAM policy and service account can be created by following the [OVH guide](https://help.ovhcloud.com/csm/en-manage-service-account?id=kb_article_view&sysparm_article=KB0059343). + +Following IAM policies need to be authorized for the affected domain: + +* dnsZone:apiovh:record/create +* dnsZone:apiovh:record/delete +* dnsZone:apiovh:refresh + +## Important Note + +Both authentication methods cannot be used at the same time. ''' [Configuration] [Configuration.Credentials] OVH_ENDPOINT = "Endpoint URL (ovh-eu or ovh-ca)" - OVH_APPLICATION_KEY = "Application key" - OVH_APPLICATION_SECRET = "Application secret" - OVH_CONSUMER_KEY = "Consumer key" + OVH_APPLICATION_KEY = "Application key (Application Key authentication)" + OVH_APPLICATION_SECRET = "Application secret (Application Key authentication)" + OVH_CONSUMER_KEY = "Consumer key (Application Key authentication)" + OVH_CLIENT_ID = "Client ID (OAuth2)" + OVH_CLIENT_SECRET = "Client secret (OAuth2)" [Configuration.Additional] OVH_POLLING_INTERVAL = "Time between DNS propagation check" OVH_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation" diff --git a/internal/cert/config/route53.toml b/internal/cert/config/route53.toml index f16541e3..da8b489a 100644 --- a/internal/cert/config/route53.toml +++ b/internal/cert/config/route53.toml @@ -131,6 +131,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)" AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)" AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)" + AWS_WAIT_FOR_RECORD_SETS_CHANGED = "Wait for changes to be INSYNC (it can be unstable)" [Configuration.Additional] AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file." AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"