init

.gitignore

@@ -0,0 +1,136 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+.env
+
+# virtualenv
+.venv/
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject
+
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/workspace.xml
+.idea/tasks.xml
+
+# Sensitive or high-churn files:
+.idea/dataSources/
+.idea/dataSources.ids
+.idea/dataSources.xml
+.idea/dataSources.local.xml
+.idea/sqlDataSources.xml
+.idea/dynamic.xml
+.idea/uiDesigner.xml
+
+# Gradle:
+.idea/gradle.xml
+.idea/libraries
+
+# Mongo Explorer plugin:
+.idea/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+/config.json

.idea/certbot-dns.iml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="jdk" jdkName="Python 2.7.6 (/usr/bin/python2.7)" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+  <component name="TestRunnerService">
+    <option name="PROJECT_TEST_RUNNER" value="Unittests" />
+  </component>
+</module>

.idea/misc.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 2.7.6 (/usr/bin/python2.7)" project-jdk-type="Python SDK" />
+</project>

.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/certbot-dns.iml" filepath="$PROJECT_DIR$/.idea/certbot-dns.iml" />
+    </modules>
+  </component>
+</project>

.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$" vcs="Git" />
+  </component>
+</project>

certbot_dns/PdnsApiAuthenticator.py

@@ -0,0 +1,100 @@
+import json
+
+import logging
+
+import time
+from certbot import errors
+
+from certbot_dns.pdnsapi import PdnsApi
+
+logger = logging.getLogger(__name__)
+
+
+class PdnsApiAuthenticator:
+    api = None
+    zones = None
+    axfr_time = None
+
+    def find_best_matching_zone(self, domain):
+        if domain is None or domain == "":
+            return None
+        for zone in self.zones:
+            if zone['name'] == domain + ".":
+                return zone
+        return self.find_best_matching_zone(domain[domain.index(".") + 1:]) if "." in domain else None
+
+    def find_soa(self, zone):
+        for rrset in zone["rrsets"]:
+            if rrset["type"] == "SOA":
+                return rrset, rrset["records"][0]
+        return None
+
+    def flush_zone(self, zone_name):
+        res = self.api.flush_zone_cache(zone_name)
+        if res is None or "result" not in res or res["result"] != "Flushed cache.":
+            raise errors.PluginError("Bad return from PDNS API when flushing cache: %s" % res)
+
+    def notify_zone(self, zone_name):
+        res = self.api.notify_zone(zone_name)
+        if res is None or "result" not in res or res["result"] != "Notification queued":
+            raise errors.PluginError("Bad return from PDNS API when notifying: %s" % res)
+
+    def update_soa(self, zone_name):
+        zone = self.api.get_zone(zone_name)
+        if zone is None or "error" in zone:
+            raise errors.PluginError("Bad return from PDNS API when getting zone %s: %s" % (zone_name, zone))
+        rrset, soa = self.find_soa(zone)
+        split = soa["content"].split(" ")
+        split[2] = str(int(split[2]) + 1)
+        soa["content"] = ' '.join(split)
+        res = self.api.replace_record(zone_name, zone_name, rrset["type"], rrset["ttl"], soa["content"],
+                                      soa["disabled"], False)
+        if res is not None:
+            raise errors.PluginError("Bad return from PDNS API when updating SOA: %s" % res)
+
+    def prepare(self, conf_path):
+        self.api = PdnsApi()
+        with open(conf_path) as f:
+            config = json.load(f)
+        self.api.set_api_key(config["api-key"])
+        self.api.set_base_url(config["base-url"])
+        self.axfr_time = config["axfr-time"]
+        self.zones = self.api.list_zones()
+        # print(self.zones)
+        # raw_input('Press <ENTER> to continue')
+        if self.zones is None or "error" in self.zones:
+            raise errors.PluginError("Could not list zones %s" % self.zones)
+
+    def perform_single(self, achall, response, validation):
+        domain = achall.domain
+        token = validation.encode()
+        zone = self.find_best_matching_zone(domain)
+        if zone is None:
+            raise errors.PluginError("Could not find zone for %s" % domain)
+
+        logger.debug("Found zone %s for domain %s" % (zone["name"], domain))
+
+        res = self.api.replace_record(zone["name"], "_acme-challenge." + domain + ".", "TXT", 1, "\"" + token + "\"", False, False)
+        if res is not None:
+            raise errors.PluginError("Bad return from PDNS API when adding record: %s" % res)
+        self.update_soa(zone["name"])
+        self.flush_zone(zone["name"])
+        self.notify_zone(zone["name"])
+
+        # raw_input('Press <ENTER> to continue')
+        logger.info("Waiting %i seconds..." % self.axfr_time)
+        time.sleep(self.axfr_time)
+
+        return response
+
+    def cleanup(self, achall):
+        domain = achall.domain
+        zone = self.find_best_matching_zone(domain)
+        if zone is None:
+            return
+        res = self.api.delete_record(zone["name"], "_acme-challenge." + domain + ".", "TXT", 1, None, False, False)
+        if res is not None:
+            raise errors.PluginError("Bad return from PDNS API when deleting record: %s" % res)
+        self.update_soa(zone["name"])
+        self.flush_zone(zone["name"])
+        self.notify_zone(zone["name"])

certbot_dns/__init__.py

@@ -0,0 +1 @@
+"""Let's Encrypt DNS plugin"""

certbot_dns/authenticator.py

@@ -0,0 +1,62 @@
+"""DNS plugin."""
+import collections
+import logging
+
+import zope.interface
+from acme import challenges
+from certbot import interfaces
+from certbot.plugins import common
+
+from certbot_dns.PdnsApiAuthenticator import PdnsApiAuthenticator
+
+logger = logging.getLogger(__name__)
+
+
+@zope.interface.implementer(interfaces.IAuthenticator)
+@zope.interface.provider(interfaces.IPluginFactory)
+class Authenticator(common.Plugin):
+    """DNS Authenticator."""
+
+    description = "Place challenges in DNS records"
+
+    MORE_INFO = """\
+Authenticator plugin that performs dns-01 challenge by saving
+necessary validation resources to appropriate records in DNS server.
+It expects that there is some other DNS server configured
+to serve all records."""
+
+    backend = None
+
+    def more_info(self):  # pylint: disable=missing-docstring,no-self-use
+        return self.MORE_INFO
+
+    @classmethod
+    def add_parser_arguments(cls, add):
+        add("certbot-dns-config", "-f", default="/etc/letsencrypt/certbot-dns.json",
+            help="Path to certbot-dns configuration file")
+
+    def get_chall_pref(self, domain):  # pragma: no cover
+        # pylint: disable=missing-docstring,no-self-use,unused-argument
+        return [challenges.DNS01]
+
+    def __init__(self, *args, **kwargs):
+        super(Authenticator, self).__init__(*args, **kwargs)
+        self.full_roots = {}
+        self.performed = collections.defaultdict(set)
+
+    def prepare(self):  # pylint: disable=missing-docstring
+        self.backend = PdnsApiAuthenticator()
+        conf_path = self.conf("certbot-dns-config")
+        self.backend.prepare(conf_path)
+        pass
+
+    def perform(self, achalls):  # pylint: disable=missing-docstring
+        return [self._perform_single(achall) for achall in achalls]
+
+    def _perform_single(self, achall):
+        response, validation = achall.response_and_validation()
+        return self.backend.perform_single(achall, response, validation)
+
+    def cleanup(self, achalls):  # pylint: disable=missing-docstring
+        for achall in achalls:
+            self.backend.cleanup(achall)

certbot_dns/pdnsapi.py

@@ -0,0 +1,87 @@
+import json
+
+import requests
+
+
+class PdnsApi:
+    api_key = None
+    base_url = None
+
+    def set_api_key(self, api_key):
+        self.api_key = api_key
+
+    def set_base_url(self, base_url):
+        self.base_url = base_url
+
+    def _query(self, uri, method, kwargs=None):
+        headers = {
+            'X-API-Key': self.api_key,
+            'Accept': 'application/json',
+            'Content-Type': 'application/json'
+        }
+
+        data = json.dumps(kwargs)
+
+        if method == "GET":
+            request = requests.get(self.base_url + uri, headers=headers)
+        elif method == "POST":
+            request = requests.post(self.base_url + uri, headers=headers, data=data)
+        elif method == "PUT":
+            request = requests.put(self.base_url + uri, headers=headers, data=data)
+        elif method == "PATCH":
+            request = requests.patch(self.base_url + uri, headers=headers, data=data)
+        elif method == "DELETE":
+            request = requests.delete(self.base_url + uri, headers=headers)
+        else:
+            raise ValueError("Invalid method '%s'" % method)
+
+        return None if request.status_code == 204 else request.json()
+
+    def list_zones(self):
+        return self._query("/servers/localhost/zones", "GET")
+
+    def get_zone(self, zone_name):
+        return self._query("/servers/localhost/zones/%s" % zone_name, "GET")
+
+    def update_zone(self, zone_name, data):
+        return self._query("/servers/localhost/zones/%s" % zone_name, "PUT", data)
+
+    def replace_record(self, zone_name, name, type, ttl, content, disabled, set_ptr):
+        return self._query("/servers/localhost/zones/%s" % zone_name, "PATCH", {"rrsets": [
+            {
+                "name": name,
+                "type": type,
+                "ttl": ttl,
+                "changetype": "REPLACE",
+                "records": [
+                    {
+                        "content": content,
+                        "disabled": disabled,
+                        "set-prt": set_ptr
+                    }
+                ]
+            }
+        ]})
+
+    def delete_record(self, zone_name, name, type, ttl, content, disabled, set_ptr):
+        return self._query("/servers/localhost/zones/%s" % zone_name, "PATCH", {"rrsets": [
+            {
+                "name": name,
+                "type": type,
+                "ttl": ttl,
+                "changetype": "DELETE",
+                "records": [
+                    {
+                        "content": content,
+                        "disabled": disabled,
+                        "set-prt": set_ptr
+                    }
+                ]
+            }
+        ]})
+
+    def notify_zone(self, zone_name):
+        return self._query("/servers/localhost/zones/%s/notify" % zone_name, "PUT")
+
+    def flush_zone_cache(self, zone_name):
+        return self._query("/servers/localhost/cache/flush?domain=%s" % zone_name, "PUT")

setup.py

@@ -0,0 +1,26 @@
+#! /usr/bin/env python
+
+from setuptools import setup
+from setuptools import find_packages
+
+install_requires = [
+    'acme',
+    'certbot',
+    'zope.interface',
+]
+
+setup(
+    name='certbot-dns',
+    description="Certbot DNS authenticator",
+    url='https://git.rthoni.com/robin.thoni/certbot-dns',
+    author="Robin Thoni",
+    author_email='robin@rthoni.com',
+    license='MIT',
+    install_requires=install_requires,
+    packages=find_packages(),
+    entry_points={
+        'certbot.plugins': [
+            'auth = certbot_dns.authenticator:Authenticator',
+        ],
+    },
+)