Merge pull request #341 from philfry/master

nsupdate
This commit is contained in:
neil 2016-11-15 17:23:41 +08:00 committed by GitHub
commit 29d47c4de2
4 changed files with 116 additions and 0 deletions

View File

@ -256,6 +256,7 @@ You don't have do anything manually!
(DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.) (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
9. LuaDNS.com API 9. LuaDNS.com API
10. DNSMadeEasy.com API 10. DNSMadeEasy.com API
11. nsupdate
##### More APIs are coming soon... ##### More APIs are coming soon...

View File

@ -3592,6 +3592,11 @@ _initconf() {
# #
#GD_Secret=\"sADDsdasdfsdfdssdgdsf\" #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
#######################
#nsupdate:
#NSUPDATE_KEY=\"/path/to/update.key\"
#NSUPDATE_SERVER=\"192.168.0.1\"
####################### #######################
#PowerDNS: #PowerDNS:
#PDNS_Url=\"http://ns.example.com:8081\" #PDNS_Url=\"http://ns.example.com:8081\"

View File

@ -112,10 +112,60 @@ acme.sh --issue --dns dns_pdns -d example.com -d www.example.com
The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`. The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
## Use OVH/kimsufi/soyoustart/runabove API ## Use OVH/kimsufi/soyoustart/runabove API
https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
## Use nsupdate to automatically issue cert
First, generate a key for updating the zone
```
b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
cat > /etc/named/keys/update.key <<EOF
key "update" {
algorithm hmac-sha512;
secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
};
EOF
rm -f /tmp/$b.{private,key}
```
Include this key in your named configuration
```
include "/etc/named/keys/update.key";
```
Next, configure your zone to allow dynamic updates.
Depending on your named version, use either
```
zone "example.com" {
type master;
allow-update { key "update"; };
};
```
or
```
zone "example.com" {
type master;
update-policy {
grant update subdomain example.com.;
};
}
```
Finally, make the dns server and update key available to `acme.sh`
```
export NSUPDATE_SERVER=dns.example.com
export NSUPDATE_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
```
Ok, let's issue cert now:
```
acme.sh --issue --dns dns_nsupdate -d example.com -d www.example.com
```
The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf`.
# Use custom api # Use custom api
If your api is not supported yet, you can write your own dns api. If your api is not supported yet, you can write your own dns api.

60
dnsapi/dns_nsupdate.sh Executable file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env sh
######## Public functions #####################
#Usage: dns_nsupdate_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_nsupdate_add() {
fulldomain=$1
txtvalue=$2
_checkKeyFile || return 1
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
# save the dns server and key to the account conf file.
_saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
_saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
_info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
nsupdate -k "${NSUPDATE_KEY}" <<EOF
server ${NSUPDATE_SERVER}
update add ${fulldomain}. 60 in txt "${txtvalue}"
send
EOF
if [ $? -ne 0 ]; then
_err "error updating domain"
return 1
fi
return 0
}
#Usage: dns_nsupdate_rm _acme-challenge.www.domain.com
dns_nsupdate_rm() {
fulldomain=$1
_checkKeyFile || return 1
[ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
_info "removing ${fulldomain}. txt"
nsupdate -k "${NSUPDATE_KEY}" <<EOF
server ${NSUPDATE_SERVER}
update delete ${fulldomain}. txt
send
EOF
if [ $? -ne 0 ]; then
_err "error updating domain"
return 1
fi
return 0
}
#################### Private functions bellow ##################################
_checkKeyFile() {
if [ -z "${NSUPDATE_KEY}" ]; then
_err "you must specify a path to the nsupdate key file"
return 1
fi
if [ ! -r "${NSUPDATE_KEY}" ]; then
_err "key ${NSUPDATE_KEY} is unreadable"
return 1
fi
}