diff --git a/README.md b/README.md index ffe55e4..cf14675 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ systems that have installed Hass.io. HomeMatic central based on OCCU. -- **[Let's Encrypt](/duckdns/README.md)** +- **[Let's Encrypt](/letsencrypt/README.md)** Manage an create certificates from Let's Encrypt. diff --git a/letsencrypt/CHANGELOG.md b/letsencrypt/CHANGELOG.md index 577b2bd..a20b75f 100755 --- a/letsencrypt/CHANGELOG.md +++ b/letsencrypt/CHANGELOG.md @@ -2,8 +2,10 @@ ## 4.3 +- Added support for google dns +- Fixed AWS support +- Updated documentation - Update cerbot to 1.0.0 -- Fix issue with DNS provider AWS ## 4.2 diff --git a/letsencrypt/README.md b/letsencrypt/README.md index 050d1dc..ed85f90 100644 --- a/letsencrypt/README.md +++ b/letsencrypt/README.md @@ -9,7 +9,7 @@ Let's Encrypt is a certificate authority that provides free X.509 certificates f Setting up Letsencrypt allows you to use validated certificates for your webpages and webinterfaces. It requires you to own the domain you are requesting the certificate for. -The generated certificate can be used within others addons. +The generated certificate can be used within others addons. By default the path and file for the certificates within other addons will refer to the files generated within this addon. ## Installation @@ -23,20 +23,20 @@ Follow these steps to get the add-on installed on your system: To use this add-on, you have two options on how to get your certificate: -1. http challenge: +### 1. http challenge: - Requires Port 80 to be available from the internet and your domain assigned to the externally assigned IP address - Doesnt allow wildcard certificates (*.yourdomain.com). -2. dns challenge +### 2. dns challenge - Requires you to use one of the supported DNS providers (See "Supported DNS providers" below) - Allows to request wildcard certificates (*.yourdomain.com) - Doesn’t need you to open a port to your hass.io host on your router. -You always need to provide the following entries within the configuration: +### You always need to provide the following entries within the configuration: ```json "email": "your@email.com" - "domains": "yourdomain.com" // use "*.yourdomain.com" for wildcard certificates. + "domains": ["yourdomain.com"] // use "*.yourdomain.com" for wildcard certificates. "challenge": "http OR dns" ``` @@ -57,6 +57,7 @@ In addition add the fields according to the credentials required by your dns pro "dnsimple_token": "", "dnsmadeeasy_api_key": "", "dnsmadeeasy_secret_key": "", +"google_creds": "", (Credentials file) "gehirn_api_token": "", "gehirn_api_secret": "", "linode_key": "", @@ -79,16 +80,34 @@ In addition add the fields according to the credentials required by your dns pro "sakuracloud_api_secret": "" ``` -## Configuration +## Example Configurations -Add-on configuration: +### http challenge: ```json { "email": "hello@home-assistant.io", "domains": [ "home-assistant.io" ], + "certfile": "fullchain.pem", + "keyfile": "privkey.pem", + "challenge": "http", + "dns": { + } +} +``` + + +### dns challenge: +```json +{ + "email": "hello@home-assistant.io", + "domains": [ + "home-assistant.io" + ], + "certfile": "fullchain.pem", + "keyfile": "privkey.pem", "challenge": "dns", "dns": { "provider": "dns-cloudflare", @@ -98,6 +117,41 @@ Add-on configuration: } ``` + +### google dns challenge: +```json +{ + "email": "hello@home-assistant.io", + "domains": [ + "home-assistant.io" + ], + "certfile": "fullchain.pem", + "keyfile": "privkey.pem", + "challenge": "dns", + "dns": { + "provider": "dns-google", + "google_creds": "google.json" + } +} +``` +Please copy your credentials file "google.json" into the "share" shared folder on the hass.io host before starting the service. + +One way is to use the "Samba" add on to make the folder available via network or SSH Add-on. + + +The credential file can be created and downloaded when creating the service user within the Google cloud. +You can find additional information in regards to the required permissions in the "credentials" section here: + +https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py + +## Certificate files + +The certificate files will be available within the "ssl" share after sucessful request of the certificates. + +By default other addons are refering to the correct path of the certificates. +You can in addition find the files via the "samba" addon within the "ssl" share. + + ## Supported DNS providers ```json @@ -107,7 +161,7 @@ dns-digitalocean dns-dnsimple dns-dnsmadeeasy dns-gehirn -dns-google (Currently not fully implemented) +dns-google dns-linode dns-luadns dns-nsone @@ -119,7 +173,6 @@ dns-sakuracloud ## Known issues and limitations -- Currently the google dns provider is not supported. Let us know if you want to use google, so we can test the required settings together. ## Support diff --git a/letsencrypt/config.json b/letsencrypt/config.json index 854df71..5cdf95d 100755 --- a/letsencrypt/config.json +++ b/letsencrypt/config.json @@ -1,6 +1,6 @@ { "name": "Let's Encrypt", - "version": "4.2", + "version": "4.3", "slug": "letsencrypt", "description": "Manage certificate from Let's Encrypt", "url": "https://github.com/home-assistant/hassio-addons/tree/master/letsencrypt", @@ -13,7 +13,7 @@ "ports_description": { "80/tcp": "Only needed for http challenge" }, - "map": ["ssl:rw"], + "map": ["ssl:rw", "share"], "options": { "email": null, "domains": [null], @@ -40,6 +40,7 @@ "dnsmadeeasy_secret_key": "str?", "gehirn_api_token": "str?", "gehirn_api_secret": "str?", + "google_creds": "str?", "linode_key": "str?", "linode_version": "str?", "luadns_email": "email?", diff --git a/letsencrypt/data/run.sh b/letsencrypt/data/run.sh index c9e8702..263c1f7 100755 --- a/letsencrypt/data/run.sh +++ b/letsencrypt/data/run.sh @@ -7,6 +7,12 @@ CERTFILE=$(bashio::config 'certfile') CHALLENGE=$(bashio::config 'challenge') DNS_PROVIDER=$(bashio::config 'dns.provider') +if [[ "$CHALLENGE" == "dns" ]]; then + bashio::log.info "Selected DNS Provider: $(bashio::config 'dns.provider')" +else + bashio::log.info "Selected http verification" +fi + CERT_DIR=/data/letsencrypt WORK_DIR=/data/workdir @@ -15,6 +21,7 @@ mkdir -p "$CERT_DIR" mkdir -p "/ssl" chmod +x /run.sh touch /data/dnsapikey +PROVIDER_ARGUMENTS=() echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \ "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" \ @@ -46,13 +53,29 @@ echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \ "dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret')" > /data/dnsapikey chmod 600 /data/dnsapikey -# AWS workaround +# AWS if bashio::config.exists 'dns.aws_access_key_id' && bashio::config.exists 'dns.aws_secret_access_key'; then AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')" AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')" export AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY + PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}") +#Google +elif bashio::config.exists 'dns.google_creds'; then + GOOGLE_CREDS="$(bashio::config 'dns.google_creds')" + + export GOOGLE_CREDS + if [ -f "/share/${GOOGLE_CREDS}" ]; then + cp -f "/share/${GOOGLE_CREDS}" "/data/${GOOGLE_CREDS}" + chmod 600 "/data/${GOOGLE_CREDS}" + else + bashio::log.info "Google Credentials File doesnt exists in folder share." + fi + PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/${GOOGLE_CREDS}") +#All others +else + PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey) fi # Generate new certs @@ -64,7 +87,7 @@ if [ ! -d "$CERT_DIR/live" ]; then echo "$DOMAINS" > /data/domains.gen if [ "$CHALLENGE" == "dns" ]; then - certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "--$DNS_PROVIDER" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" + certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "${PROVIDER_ARGUMENTS[@]}" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" else certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" fi