aljaz/addons
1
0
Fork 0
mirror of https://github.com/aljazceru/addons.git synced 2025-12-18 21:54:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix route53, add google dns, fix documentation (#988)

Browse Source 
* #987 fixed documentation link

* fix route53, add google dns, fix documentation

* Using "null", using share folder for google dns

* Additional documentation added

* Added argument array

* Update CHANGELOG.md

* Update config.json

* Update README.md

* Fix code style

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
This commit is contained in:
Zapfmeister
2020-01-17 11:30:29 +01:00
committed by Pascal Vizeli
parent 9e3e9fdeff
commit cec0c95d19
5 changed files with 94 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -61,7 +61,7 @@ systems that have installed Hass.io.
HomeMatic central based on OCCU. HomeMatic central based on OCCU.
- **[Let's Encrypt](/duckdns/README.md)** - **[Let's Encrypt](/letsencrypt/README.md)**
Manage an create certificates from Let's Encrypt. Manage an create certificates from Let's Encrypt.

4
letsencrypt/CHANGELOG.md
View File

@@ -2,8 +2,10 @@
## 4.3 ## 4.3
- Added support for google dns
- Fixed AWS support
- Updated documentation
- Update cerbot to 1.0.0 - Update cerbot to 1.0.0
- Fix issue with DNS provider AWS
## 4.2 ## 4.2

71
letsencrypt/README.md
View File

@@ -9,7 +9,7 @@ Let's Encrypt is a certificate authority that provides free X.509 certificates f
Setting up Letsencrypt allows you to use validated certificates for your webpages and webinterfaces. Setting up Letsencrypt allows you to use validated certificates for your webpages and webinterfaces.
It requires you to own the domain you are requesting the certificate for. It requires you to own the domain you are requesting the certificate for.
The generated certificate can be used within others addons. The generated certificate can be used within others addons. By default the path and file for the certificates within other addons will refer to the files generated within this addon.
## Installation ## Installation
@@ -23,20 +23,20 @@ Follow these steps to get the add-on installed on your system:
To use this add-on, you have two options on how to get your certificate: To use this add-on, you have two options on how to get your certificate:
1. http challenge: ### 1. http challenge:
- Requires Port 80 to be available from the internet and your domain assigned to the externally assigned IP address - Requires Port 80 to be available from the internet and your domain assigned to the externally assigned IP address
- Doesnt allow wildcard certificates (*.yourdomain.com). - Doesnt allow wildcard certificates (*.yourdomain.com).
2. dns challenge ### 2. dns challenge
- Requires you to use one of the supported DNS providers (See "Supported DNS providers" below) - Requires you to use one of the supported DNS providers (See "Supported DNS providers" below)
- Allows to request wildcard certificates (*.yourdomain.com) - Allows to request wildcard certificates (*.yourdomain.com)
- Doesnt need you to open a port to your hass.io host on your router. - Doesnt need you to open a port to your hass.io host on your router.
You always need to provide the following entries within the configuration: ### You always need to provide the following entries within the configuration:
```json ```json
"email": "your@email.com" "email": "your@email.com"
"domains": "yourdomain.com" // use "*.yourdomain.com" for wildcard certificates. "domains": ["yourdomain.com"] // use "*.yourdomain.com" for wildcard certificates.
"challenge": "http OR dns" "challenge": "http OR dns"
``` ```
@@ -57,6 +57,7 @@ In addition add the fields according to the credentials required by your dns pro
"dnsimple_token": "", "dnsimple_token": "",
"dnsmadeeasy_api_key": "", "dnsmadeeasy_api_key": "",
"dnsmadeeasy_secret_key": "", "dnsmadeeasy_secret_key": "",
"google_creds": "", (Credentials file)
"gehirn_api_token": "", "gehirn_api_token": "",
"gehirn_api_secret": "", "gehirn_api_secret": "",
"linode_key": "", "linode_key": "",
@@ -79,16 +80,34 @@ In addition add the fields according to the credentials required by your dns pro
"sakuracloud_api_secret": "" "sakuracloud_api_secret": ""
``` ```
## Configuration ## Example Configurations
Add-on configuration:
### http challenge:
```json ```json
{ {
"email": "hello@home-assistant.io", "email": "hello@home-assistant.io",
"domains": [ "domains": [
"home-assistant.io" "home-assistant.io"
], ],
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"challenge": "http",
"dns": {
}
}
```
### dns challenge:
```json
{
"email": "hello@home-assistant.io",
"domains": [
"home-assistant.io"
],
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"challenge": "dns", "challenge": "dns",
"dns": { "dns": {
"provider": "dns-cloudflare", "provider": "dns-cloudflare",
@@ -98,6 +117,41 @@ Add-on configuration:
} }
``` ```
### google dns challenge:
```json
{
"email": "hello@home-assistant.io",
"domains": [
"home-assistant.io"
],
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"challenge": "dns",
"dns": {
"provider": "dns-google",
"google_creds": "google.json"
}
}
```
Please copy your credentials file "google.json" into the "share" shared folder on the hass.io host before starting the service.
One way is to use the "Samba" add on to make the folder available via network or SSH Add-on.
The credential file can be created and downloaded when creating the service user within the Google cloud.
You can find additional information in regards to the required permissions in the "credentials" section here:
https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py
## Certificate files
The certificate files will be available within the "ssl" share after sucessful request of the certificates.
By default other addons are refering to the correct path of the certificates.
You can in addition find the files via the "samba" addon within the "ssl" share.
## Supported DNS providers ## Supported DNS providers
```json ```json
@@ -107,7 +161,7 @@ dns-digitalocean
dns-dnsimple dns-dnsimple
dns-dnsmadeeasy dns-dnsmadeeasy
dns-gehirn dns-gehirn
dns-google (Currently not fully implemented) dns-google
dns-linode dns-linode
dns-luadns dns-luadns
dns-nsone dns-nsone
@@ -119,7 +173,6 @@ dns-sakuracloud
## Known issues and limitations ## Known issues and limitations
- Currently the google dns provider is not supported. Let us know if you want to use google, so we can test the required settings together.
## Support ## Support

5
letsencrypt/config.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "Let's Encrypt", "name": "Let's Encrypt",
"version": "4.2", "version": "4.3",
"slug": "letsencrypt", "slug": "letsencrypt",
"description": "Manage certificate from Let's Encrypt", "description": "Manage certificate from Let's Encrypt",
"url": "https://github.com/home-assistant/hassio-addons/tree/master/letsencrypt", "url": "https://github.com/home-assistant/hassio-addons/tree/master/letsencrypt",
@@ -13,7 +13,7 @@
"ports_description": { "ports_description": {
"80/tcp": "Only needed for http challenge" "80/tcp": "Only needed for http challenge"
}, },
"map": ["ssl:rw"], "map": ["ssl:rw", "share"],
"options": { "options": {
"email": null, "email": null,
"domains": [null], "domains": [null],
@@ -40,6 +40,7 @@
"dnsmadeeasy_secret_key": "str?", "dnsmadeeasy_secret_key": "str?",
"gehirn_api_token": "str?", "gehirn_api_token": "str?",
"gehirn_api_secret": "str?", "gehirn_api_secret": "str?",
"google_creds": "str?",
"linode_key": "str?", "linode_key": "str?",
"linode_version": "str?", "linode_version": "str?",
"luadns_email": "email?", "luadns_email": "email?",

27
letsencrypt/data/run.sh
View File

@@ -7,6 +7,12 @@ CERTFILE=$(bashio::config 'certfile')
CHALLENGE=$(bashio::config 'challenge') CHALLENGE=$(bashio::config 'challenge')
DNS_PROVIDER=$(bashio::config 'dns.provider') DNS_PROVIDER=$(bashio::config 'dns.provider')
if [[ "$CHALLENGE" == "dns" ]]; then
bashio::log.info "Selected DNS Provider: $(bashio::config 'dns.provider')"
else
bashio::log.info "Selected http verification"
fi
CERT_DIR=/data/letsencrypt CERT_DIR=/data/letsencrypt
WORK_DIR=/data/workdir WORK_DIR=/data/workdir
@@ -15,6 +21,7 @@ mkdir -p "$CERT_DIR"
mkdir -p "/ssl" mkdir -p "/ssl"
chmod +x /run.sh chmod +x /run.sh
touch /data/dnsapikey touch /data/dnsapikey
PROVIDER_ARGUMENTS=()
echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \ echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
"dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" \ "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" \
@@ -46,13 +53,29 @@ echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
"dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret')" > /data/dnsapikey "dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret')" > /data/dnsapikey
chmod 600 /data/dnsapikey chmod 600 /data/dnsapikey
# AWS workaround # AWS
if bashio::config.exists 'dns.aws_access_key_id' && bashio::config.exists 'dns.aws_secret_access_key'; then if bashio::config.exists 'dns.aws_access_key_id' && bashio::config.exists 'dns.aws_secret_access_key'; then
AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')" AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')"
AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')" AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')"
export AWS_ACCESS_KEY_ID export AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY export AWS_SECRET_ACCESS_KEY
PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}")
#Google
elif bashio::config.exists 'dns.google_creds'; then
GOOGLE_CREDS="$(bashio::config 'dns.google_creds')"
export GOOGLE_CREDS
if [ -f "/share/${GOOGLE_CREDS}" ]; then
cp -f "/share/${GOOGLE_CREDS}" "/data/${GOOGLE_CREDS}"
chmod 600 "/data/${GOOGLE_CREDS}"
else
bashio::log.info "Google Credentials File doesnt exists in folder share."
fi
PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/${GOOGLE_CREDS}")
#All others
else
PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey)
fi fi
# Generate new certs # Generate new certs
@@ -64,7 +87,7 @@ if [ ! -d "$CERT_DIR/live" ]; then
echo "$DOMAINS" > /data/domains.gen echo "$DOMAINS" > /data/domains.gen
if [ "$CHALLENGE" == "dns" ]; then if [ "$CHALLENGE" == "dns" ]; then
certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "--$DNS_PROVIDER" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "${PROVIDER_ARGUMENTS[@]}" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
else else
certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}" certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
fi fi