Added DNS challenge support (#701)

* Added DNS challenge support

* Switch to prebuild pip3 certbot package. Update to python3.

* Code cleanup. Updates according to bashio variable guidelines.

* Update required fields to no preset variable to force entry. Added list of possible values for fields.

* Added README instructions

* Added missing linebreak

* Updates according to "ShellCheck".

* Further "ShellCheck" cleanup

* Added certbot dns plugin version

* Further "ShellCheck" corrections

* Further "ShellCheck" updates

* Update README.md

* Testing other linebreaks

* add .gitignore

* Cleanup

* > instead of >>

* Further cleanup and optimization for new UI features

* Added http port description

* Removed unnecessary info log entry

* Further optimization for UI

* setting optional settings. port_description fix.

* Update config.json

* Delete .gitignore

* Update config.json

* Update run.sh

* Update README.md

* Update README.md

letsencrypt/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 4.0
+- Added support for dns challenges
+
 ## 3.0
 - Use our Python base images with cerbot 0.32.0
 

letsencrypt/Dockerfile

@@ -1,13 +1,28 @@
 ARG BUILD_FROM
 FROM $BUILD_FROM
 
-# Setup base
+# setup base
 ARG CERTBOT_VERSION
-RUN apk add --no-cache \
-        openssl libffi musl libstdc++ \
+
+RUN apk add --no-cache --update \
+        openssl libffi musl \
     && apk add --no-cache --virtual .build-dependencies \
         g++ musl-dev openssl-dev libffi-dev \
     && pip3 install --no-cache-dir certbot==${CERTBOT_VERSION} \
+        certbot-dns-cloudflare==${CERTBOT_VERSION} \
+        certbot-dns-cloudxns==${CERTBOT_VERSION} \
+        certbot-dns-digitalocean==${CERTBOT_VERSION} \
+        certbot-dns-dnsimple==${CERTBOT_VERSION} \
+        certbot-dns-dnsmadeeasy==${CERTBOT_VERSION} \
+        certbot-dns-gehirn==${CERTBOT_VERSION} \
+        certbot-dns-google==${CERTBOT_VERSION} \
+        certbot-dns-linode==${CERTBOT_VERSION} \
+        certbot-dns-luadns==${CERTBOT_VERSION} \
+        certbot-dns-nsone==${CERTBOT_VERSION} \
+        certbot-dns-ovh==${CERTBOT_VERSION} \
+        certbot-dns-rfc2136==${CERTBOT_VERSION} \
+        certbot-dns-route53==${CERTBOT_VERSION} \
+        certbot-dns-sakuracloud==${CERTBOT_VERSION} \
     && apk del .build-dependencies
 
 # Copy data

letsencrypt/README.md

@@ -0,0 +1,113 @@
+# Hass.io Core Add-on: Letsencrypt
+
+Let's Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
+
+![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]
+
+## About
+
+Setting up Letsencrypt allows you to use validated certificates for your webpages and webinterfaces.
+It requires you to own the domain you are requesting the certificate for.
+
+The generated certificate can be used within others addons.
+
+## Installation
+
+The installation of this add-on is straightforward and easy to do.
+
+1. Navigate in your Home Assistant frontend to **Hass.io** -> **Add-on Store**.
+2. Find the "letsencrypt" add-on and click it.
+3. Click on the "INSTALL" button.
+
+## How to use
+
+To use this add-on, you have two options on how to get your certificate:
+
+1. http challenge
+- Requires Port 80 to be available from the internet and your domain assigned to the externally assigned IP address
+- Doesnt allow wildcard certificates (*.yourdomain.com).
+
+2. dns challenge
+- Requires you to use one of the supported DNS providers (See "Supported DNS providers" below)
+- Allows to request wildcard certificates (*.yourdomain.com)
+- Doesnt need you to open a port to your hass.io host on your router.
+
+You always need to provide the following entries within the configuration:
+
+```json
+  "email": "your@email.com"
+  "domains": "yourdomain.com" /// in case of requesting a wildcard certificate, add "*.yourdomain.com".
+  "challenge": "http OR dns"
+```
+
+IF you choose "dns" as "challenge", you will also need to fill:
+```json
+  "dnsprovider": "" (Add the dnsprovider of your choice from the list of "Supported DNS providers" below)
+
+In addition fill the fields according to the credentials required by your dns provider.
+```
+
+## Configuration
+
+Add-on configuration:
+
+```json
+{
+  "email": "hello@home-assistant.io",
+  "domains": [
+    "home-assistant.io"
+  ],
+  "challenge": "dns",
+  "dns": {
+    "provider": "dns-cloudflare",
+    "cloudflare_email": "cf@home-assistant.io",
+    "cloudflare_api_key": "31242lk3j4ljlfdwsjf0"
+  }
+}
+```
+## Supported DNS providers
+
+```json
+dns-cloudflare
+dns-cloudxns
+dns-digitalocean
+dns-dnsimple
+dns-dnsmadeeasy
+dns-gehirn
+dns-google (Currently not fully implemented)
+dns-linode
+dns-luadns
+dns-nsone
+dns-ovh
+dns-rfc2136
+dns-route53
+dns-sakuracloud
+```
+
+## Known issues and limitations
+
+- Currently the google dns provider is not supported. Let us know if you want to use google, so we can test the required settings together.
+
+## Support
+
+Got questions?
+
+You have several options to get them answered:
+
+- The [Home Assistant Discord Chat Server][discord].
+- The Home Assistant [Community Forum][forum].
+- Join the [Reddit subreddit][reddit] in [/r/homeassistant][reddit]
+- Check out certbots page [certbot].
+
+In case you've found an bug, please [open an issue on our GitHub][issue].
+
+[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
+[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
+[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
+[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
+[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg
+[discord]: https://discord.gg/c5DvZ4e
+[forum]: https://community.home-assistant.io
+[issue]: https://github.com/home-assistant/hassio-addons/issues
+[certbot]: https://certbot.eff.org
+[reddit]: https://reddit.com/r/homeassistant

letsencrypt/build.json

@@ -7,6 +7,6 @@
     "aarch64": "homeassistant/aarch64-base-python:3.7"
   },
   "args": {
-    "CERTBOT_VERSION": "0.32.0"
+    "CERTBOT_VERSION": "0.38.0"
   }
 }

letsencrypt/config.json

@@ -1,6 +1,6 @@
 {
   "name": "Let's Encrypt",
-  "version": "3.0",
+  "version": "4.0",
   "slug": "letsencrypt",
   "description": "Manage certificate from Let's Encrypt",
   "url": "https://home-assistant.io/addons/lets_encrypt/",
@@ -9,19 +9,55 @@
   "boot": "manual",
   "ports": {
     "80/tcp": 80
-   },
+  },
+  "ports_description": {
+    "80/tcp": "Only needed for http challenge"
+  },
   "map": ["ssl:rw"],
   "options": {
     "email": null,
     "domains": [null],
     "certfile": "fullchain.pem",
-    "keyfile": "privkey.pem"
+    "keyfile": "privkey.pem",
+    "challenge": "http"
   },
   "schema": {
     "email": "email",
     "domains": ["str"],
     "certfile": "str",
-    "keyfile": "str"
+    "keyfile": "str",
+    "challenge": "list(dns|http)",
+    "dns": {
+      "provider": "list(dns-cloudflare|dns-cloudxns|dns-digitalocean|dns-dnsimple|dns-dnsmadeeasy|dns-gehirn|dns-google|dns-linode|dns-luadns|dns-nsone|dns-ovh|dns-rfc2136|dns-route53|dns-sakuracloud)?",
+      "cloudflare_email": "email?",
+      "cloudflare_api_key": "str?",
+      "cloudxns_api_key": "str?",
+      "cloudxns_secret_key": "str?",
+      "digitalocean_token": "str?",
+      "dnsimple_token": "str?",
+      "dnsmadeeasy_api_key": "str?",
+      "dnsmadeeasy_secret_key": "str?",
+      "gehirn_api_token": "str?",
+      "gehirn_api_secret": "str?",
+      "linode_key": "str?",
+      "linode_version": "str?",
+      "luadns_email": "email?",
+      "luadns_token": "str?",
+      "nsone_api_key": "str?",
+      "ovh_endpoint": "str?",
+      "ovh_application_key": "str?",
+      "ovh_application_secret": "str?",
+      "ovh_consumer_key": "str?",
+      "rfc2136_server": "str?",
+      "rfc2136_port": "str?",
+      "rfc2136_name": "str?",
+      "rfc2136_secret": "str?",
+      "rfc2136_algorithm": "str?",
+      "aws_access_key_id": "str?",
+      "aws_secret_access_key": "str?",
+      "sakuracloud_api_token": "str?",
+      "sakuracloud_api_secret": "str?"
+    }
   },
   "image": "homeassistant/{arch}-addon-letsencrypt"
 }

letsencrypt/run.sh

@@ -1,16 +1,50 @@
-#!/bin/bash
-set -e
+#!/usr/bin/env bashio
+
+EMAIL=$(bashio::config 'email')
+DOMAINS=$(bashio::config 'domains')
+KEYFILE=$(bashio::config 'keyfile')
+CERTFILE=$(bashio::config 'certfile')
+CHALLENGE=$(bashio::config 'challenge')
+DNS_PROVIDER=$(bashio::config 'dns.provider // empty')
 
 CERT_DIR=/data/letsencrypt
 WORK_DIR=/data/workdir
-CONFIG_PATH=/data/options.json
-
-EMAIL=$(jq --raw-output ".email" $CONFIG_PATH)
-DOMAINS=$(jq --raw-output ".domains[]" $CONFIG_PATH)
-KEYFILE=$(jq --raw-output ".keyfile" $CONFIG_PATH)
-CERTFILE=$(jq --raw-output ".certfile" $CONFIG_PATH)
 
+mkdir -p "$WORK_DIR"
 mkdir -p "$CERT_DIR"
+mkdir -p "/ssl"
+chmod +x /run.sh
+touch /data/dnsapikey
+
+echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email // empty')\n" \
+  "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key // empty')\n" \
+  "dns_cloudxns_api_key = $(bashio::config 'dns.cloudxns_api_key // empty')\n" \
+  "dns_cloudxns_secret_key = $(bashio::config 'dns.cloudxns_secret_key // empty')\n" \
+  "dns_digitalocean_token = $(bashio::config 'dns.digitalocean_token // empty')\n" \
+  "dns_dnsimple_token = $(bashio::config 'dns.dnsimple_token // empty')\n" \
+  "dns_dnsmadeeasy_api_key = $(bashio::config 'dns.dnsmadeeasy_api_key // empty')\n" \
+  "dns_dnsmadeeasy_secret_key = $(bashio::config 'dns.dnsmadeeasy_secret_key // empty')\n" \
+  "dns_gehirn_api_token = $(bashio::config 'dns.gehirn_api_token // empty')\n" \
+  "dns_gehirn_api_secret = $(bashio::config 'dns.gehirn_api_secret // empty')\n" \
+  "dns_linode_key = $(bashio::config 'dns.linode_key // empty')\n" \
+  "dns_linode_version = $(bashio::config 'dns.linode_version // empty')\n" \
+  "dns_luadns_email = $(bashio::config 'dns.luadns_email // empty')\n" \
+  "dns_luadns_token = $(bashio::config 'dns.luadns_token // empty')\n" \
+  "dns_nsone_api_key = $(bashio::config 'dns.nsone_api_key // empty')\n" \
+  "dns_ovh_endpoint = $(bashio::config 'dns.ovh_endpoint // empty')\n" \
+  "dns_ovh_application_key = $(bashio::config 'dns.ovh_application_key // empty')\n" \
+  "dns_ovh_application_secret = $(bashio::config 'dns.ovh_application_secret // empty')\n" \
+  "dns_ovh_consumer_key = $(bashio::config 'dns.ovh_consumer_key // empty')\n" \
+  "dns_rfc2136_server = $(bashio::config 'dns.rfc2136_server // empty')\n" \
+  "dns_rfc2136_port = $(bashio::config 'dns.rfc2136_port // empty')\n" \
+  "dns_rfc2136_name = $(bashio::config 'dns.rfc2136_name // empty')\n" \
+  "dns_rfc2136_secret = $(bashio::config 'dns.rfc2136_secret // empty')\n" \
+  "dns_rfc2136_algorithm = $(bashio::config 'dns.rfc2136_algorithm // empty')\n" \
+  "aws_access_key_id = $(bashio::config 'dns.aws_access_key_id // empty')\n" \
+  "aws_secret_access_key = $(bashio::config 'dns.aws_secret_access_key // empty')\n" \
+  "dns_sakuracloud_api_token = $(bashio::config 'dns.sakuracloud_api_token // empty')\n" \
+  "dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret // empty')" > /data/dnsapikey
+chmod 600 /data/dnsapikey
 
 # Generate new certs
 if [ ! -d "$CERT_DIR/live" ]; then
@@ -20,11 +54,13 @@ if [ ! -d "$CERT_DIR/live" ]; then
     done
 
     echo "$DOMAINS" > /data/domains.gen
-    certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "http" "${DOMAIN_ARR[@]}"
-
-# Renew certs
+    if [ "$CHALLENGE" == "dns" ]; then
+        certbot certonly --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" "--$DNS_PROVIDER" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
+    else
+        certbot certonly --non-interactive --standalone --email "$EMAIL" --agree-tos --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE" "${DOMAIN_ARR[@]}"
+    fi
 else
-    certbot renew --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "http"
+    certbot renew --non-interactive --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" --preferred-challenges "$CHALLENGE"
 fi
 
 # copy certs to store