Merge pull request #341 from philfry/master

nsupdate

README.md

@@ -256,6 +256,7 @@ You don't have do anything manually!
    (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
 9. LuaDNS.com API
 10. DNSMadeEasy.com API
+11. nsupdate
 
 ##### More APIs are coming soon...
 

acme.sh

@@ -3592,6 +3592,11 @@ _initconf() {
 #
 #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
 
+#######################
+#nsupdate:
+#NSUPDATE_KEY=\"/path/to/update.key\"
+#NSUPDATE_SERVER=\"192.168.0.1\"
+
 #######################
 #PowerDNS:
 #PDNS_Url=\"http://ns.example.com:8081\"

dnsapi/README.md

@@ -112,10 +112,60 @@ acme.sh   --issue   --dns dns_pdns   -d example.com  -d www.example.com
 
 The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
 
+
 ## Use OVH/kimsufi/soyoustart/runabove API
 
 https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
 
+## Use nsupdate to automatically issue cert
+
+First, generate a key for updating the zone
+```
+b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
+cat > /etc/named/keys/update.key <<EOF
+key "update" {
+    algorithm hmac-sha512;
+    secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
+};
+EOF
+rm -f /tmp/$b.{private,key}
+```
+
+Include this key in your named configuration
+```
+include "/etc/named/keys/update.key";
+```
+
+Next, configure your zone to allow dynamic updates.
+Depending on your named version, use either
+```
+zone "example.com" {
+    type master;
+    allow-update { key "update"; };
+};
+```
+or
+```
+zone "example.com" {
+    type master;
+    update-policy {
+        grant update subdomain example.com.;
+    };
+}
+```
+Finally, make the dns server and update key available to `acme.sh`
+```
+export NSUPDATE_SERVER=dns.example.com
+export NSUPDATE_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
+```
+
+Ok, let's issue cert now:
+```
+acme.sh   --issue   --dns dns_nsupdate   -d example.com  -d www.example.com
+```
+
+The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf`.
+
 # Use custom api
 
 If your api is not supported yet,  you can write your own dns api.

dnsapi/dns_nsupdate.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env sh
+
+
+########  Public functions #####################
+
+#Usage: dns_nsupdate_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_nsupdate_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  # save the dns server and key to the account conf file.
+  _saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
+  _saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
+  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update add ${fulldomain}. 60 in txt "${txtvalue}"
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+  
+  return 0
+}
+
+#Usage: dns_nsupdate_rm   _acme-challenge.www.domain.com
+dns_nsupdate_rm() {
+  fulldomain=$1
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  _info "removing ${fulldomain}. txt"
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update delete ${fulldomain}. txt
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+
+  return 0
+}
+
+
+####################  Private functions bellow ##################################
+
+_checkKeyFile() {
+  if [ -z "${NSUPDATE_KEY}" ]; then
+    _err "you must specify a path to the nsupdate key file"
+    return 1
+  fi
+  if [ ! -r "${NSUPDATE_KEY}" ]; then
+    _err "key ${NSUPDATE_KEY} is unreadable"
+    return 1
+  fi
+}