Fix route53, add google dns, fix documentation (#988)

* #987 fixed documentation link * fix route53, add google dns, fix documentation * Using "null", using share folder for google dns * Additional documentation added * Added argument array * Update CHANGELOG.md * Update config.json * Update README.md * Fix code style Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
2025-12-18 13:44:20 +01:00 · 2020-01-17 11:30:29 +01:00
parent 9e3e9fdeff
commit cec0c95d19
5 changed files with 94 additions and 15 deletions
--- a/README.md
+++ b/README.md
@@ -61,7 +61,7 @@ systems that have installed Hass.io.

    HomeMatic central based on OCCU.

- **[Let's Encrypt](/duckdns/README.md)**
+- **[Let's Encrypt](/letsencrypt/README.md)**

    Manage an create certificates from Let's Encrypt.

--- a/letsencrypt/CHANGELOG.md
+++ b/letsencrypt/CHANGELOG.md
@@ -2,8 +2,10 @@

 ## 4.3

+- Added support for google dns
+- Fixed AWS support
+- Updated documentation
 - Update cerbot to 1.0.0
- Fix issue with DNS provider AWS

 ## 4.2

--- a/letsencrypt/README.md
+++ b/letsencrypt/README.md
@@ -9,7 +9,7 @@ Let's Encrypt is a certificate authority that provides free X.509 certificates f
 Setting up Letsencrypt allows you to use validated certificates for your webpages and webinterfaces.
 It requires you to own the domain you are requesting the certificate for.

-The generated certificate can be used within others addons.
+The generated certificate can be used within others addons. By default the path and file for the certificates within other addons will refer to the files generated within this addon.

 ## Installation

@@ -23,20 +23,20 @@ Follow these steps to get the add-on installed on your system:

 To use this add-on, you have two options on how to get your certificate:

-1. http challenge:
+### 1. http challenge:
   - Requires Port 80 to be available from the internet and your domain assigned to the externally assigned IP address
   - Doesnt allow wildcard certificates (*.yourdomain.com).

-2. dns challenge
+### 2. dns challenge
   - Requires you to use one of the supported DNS providers (See "Supported DNS providers" below)
   - Allows to request wildcard certificates (*.yourdomain.com)
   - Doesn’t need you to open a port to your hass.io host on your router.

-You always need to provide the following entries within the configuration:
+### You always need to provide the following entries within the configuration:

 ```json
  "email": "your@email.com"
-  "domains": "yourdomain.com" // use "*.yourdomain.com" for wildcard certificates.
+  "domains": ["yourdomain.com"] // use "*.yourdomain.com" for wildcard certificates.
  "challenge": "http OR dns"
 ```

@@ -57,6 +57,7 @@ In addition add the fields according to the credentials required by your dns pro
 "dnsimple_token": "",
 "dnsmadeeasy_api_key": "",
 "dnsmadeeasy_secret_key": "",
+"google_creds": "", (Credentials file)
 "gehirn_api_token": "",
 "gehirn_api_secret": "",
 "linode_key": "",
@@ -79,16 +80,34 @@ In addition add the fields according to the credentials required by your dns pro
 "sakuracloud_api_secret": ""
 ```

-## Configuration
+## Example Configurations

-Add-on configuration:

+### http challenge:
 ```json
 {
  "email": "hello@home-assistant.io",
  "domains": [
    "home-assistant.io"
  ],
+  "certfile": "fullchain.pem",
+  "keyfile": "privkey.pem",
+  "challenge": "http",
+  "dns": {
+    }
+}
+```
+
+
+### dns challenge:
+```json
+{
+  "email": "hello@home-assistant.io",
+  "domains": [
+    "home-assistant.io"
+  ],
+  "certfile": "fullchain.pem",
+  "keyfile": "privkey.pem",
  "challenge": "dns",
  "dns": {
    "provider": "dns-cloudflare",
@@ -98,6 +117,41 @@ Add-on configuration:
 }
 ```

+
+### google dns challenge:
+```json
+{
+  "email": "hello@home-assistant.io",
+  "domains": [
+    "home-assistant.io"
+  ],
+  "certfile": "fullchain.pem",
+  "keyfile": "privkey.pem",
+  "challenge": "dns",
+  "dns": {
+    "provider": "dns-google",
+    "google_creds": "google.json"
+  }
+}
+```
+Please copy your credentials file "google.json" into the "share" shared folder on the hass.io host before starting the service. 
+
+One way is to use the "Samba" add on to make the folder available via network or SSH Add-on.
+
+
+The credential file can be created and downloaded when creating the service user within the Google cloud.
+You can find additional information in regards to the required permissions in the "credentials" section here:
+
+https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py
+
+## Certificate files
+
+The certificate files will be available within the "ssl" share after sucessful request of the certificates.
+
+By default other addons are refering to the correct path of the certificates.
+You can in addition find the files via the "samba" addon within the "ssl" share.
+
+
 ## Supported DNS providers

 ```json
@@ -107,7 +161,7 @@ dns-digitalocean
 dns-dnsimple
 dns-dnsmadeeasy
 dns-gehirn
-dns-google (Currently not fully implemented)
+dns-google
 dns-linode
 dns-luadns
 dns-nsone
@@ -119,7 +173,6 @@ dns-sakuracloud

 ## Known issues and limitations

- Currently the google dns provider is not supported. Let us know if you want to use google, so we can test the required settings together.

 ## Support

--- a/letsencrypt/config.json
+++ b/letsencrypt/config.json
@@ -1,6 +1,6 @@
 {
  "name": "Let's Encrypt",
-  "version": "4.2",
+  "version": "4.3",
  "slug": "letsencrypt",
  "description": "Manage certificate from Let's Encrypt",
  "url": "https://github.com/home-assistant/hassio-addons/tree/master/letsencrypt",
@@ -13,7 +13,7 @@
  "ports_description": {
    "80/tcp": "Only needed for http challenge"
  },
-  "map": ["ssl:rw"],
+  "map": ["ssl:rw", "share"],
  "options": {
    "email": null,
    "domains": [null],
@@ -40,6 +40,7 @@
      "dnsmadeeasy_secret_key": "str?",
      "gehirn_api_token": "str?",
      "gehirn_api_secret": "str?",
+      "google_creds": "str?",
      "linode_key": "str?",
      "linode_version": "str?",
      "luadns_email": "email?",
--- a/letsencrypt/data/run.sh
+++ b/letsencrypt/data/run.sh
@@ -7,6 +7,12 @@ CERTFILE=$(bashio::config 'certfile')
 CHALLENGE=$(bashio::config 'challenge')
 DNS_PROVIDER=$(bashio::config 'dns.provider')

+if [[ "$CHALLENGE" == "dns" ]]; then
+  bashio::log.info "Selected DNS Provider: $(bashio::config 'dns.provider')"
+else
+  bashio::log.info "Selected http verification"
+fi
+
 CERT_DIR=/data/letsencrypt
 WORK_DIR=/data/workdir

@@ -15,6 +21,7 @@ mkdir -p "$CERT_DIR"
 mkdir -p "/ssl"
 chmod +x /run.sh
 touch /data/dnsapikey
+PROVIDER_ARGUMENTS=()

 echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
  "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" \
@@ -46,13 +53,29 @@ echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
  "dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret')" > /data/dnsapikey
 chmod 600 /data/dnsapikey

-# AWS workaround
+# AWS
 if bashio::config.exists 'dns.aws_access_key_id' && bashio::config.exists 'dns.aws_secret_access_key'; then
    AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')"
    AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')"

    export AWS_ACCESS_KEY_ID
    export AWS_SECRET_ACCESS_KEY
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}")
+#Google
+elif bashio::config.exists 'dns.google_creds'; then
+    GOOGLE_CREDS="$(bashio::config 'dns.google_creds')"
+
+    export GOOGLE_CREDS
+    if [ -f "/share/${GOOGLE_CREDS}" ]; then
+      cp -f "/share/${GOOGLE_CREDS}" "/data/${GOOGLE_CREDS}"
+      chmod 600 "/data/${GOOGLE_CREDS}"
+    else
+      bashio::log.info "Google Credentials File doesnt exists in folder share."
+    fi
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/${GOOGLE_CREDS}")
+#All others
+else
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey)
 fi

 # Generate new certs
@@ -64,7 +87,7 @@ if [ ! -d "$CERT_DIR/live" ]; then

    echo "$DOMAINS" > /data/domains.gen
    if [ "$CHALLENGE" == "dns" ]; then
-        certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "--$DNS_PROVIDER" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
+        certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "${PROVIDER_ARGUMENTS[@]}" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
    else
        certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
    fi