Configuring challenges using Certbot DNS plugins
CertCache supports the following Certbot DNS plugins:
- certbot-dns-cloudflare
- certbot-dns-cloudxns
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-google
- certbot-dns-linode
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-ovh
- certbot-dns-rfc2136
- certbot-dns-route53
To use them you will need to add CERTCACHE_CERTBOT_CHALLENGES to the env vars in your CertCache server docker-compose.yml and list the args and environment variables that should be passed to certbot command. Eg:
services:
certcacheserver:
container_name: certcacheserver
volumes:
- ./cahkeys/:/certcache/cahkeys/:rw
- ./cache/:/certcache/cache/:rw
- ./credentials/:/certcache/credentials/:ro
environment:
CERTCACHE_CERTBOT_CHALLENGES: |
dns_route53:
args:
- '--dns-route53-propagation-seconds'
- '1000'
environment:
AWS_ACCESS_KEY_ID: 'AKIAIOSFODNN7EXAMPLE'
AWS_SECRET_ACCESS_KEY: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
CERTCACHE_CERTBOT_DEFAULT_CHALLENGE: dns_route53See https://certbot.eff.org/docs/using.html#dns-plugins for instructions about which args and environment variales to use.
If the DNS plugin required that you provide credentials for your DNS provider, you can mount them at /certcache/credentials/ and reference them from the challenge args list.
We set CERTCACHE_CERTBOT_DEFAULT_CHALLENGE to dns_route53. This means that all domains will be generated using this challenge unless they specify another challenge.
If you want to define that domains use specific challenges, you need to list them in the CERTCACHE_CERTBOT_DOMAINS env var in the CertCache server container. Eg:
CERTCACHE_CERTBOT_DOMAINS: |
- domain: 'example.com'
challenges: ['dns_route53', 'dns-01', 'http-01']
- domain: '93million.org'
challenges: ['http-01']
- domain: '93m.org'
challenges: ['dns_route53', 'dns-01']When generating a certificate which contains multiple domains, any common challenges will used.