v2.12.1 (Feature — custom-script DNS provider)
Closes #286: a Cert Warden-style custom-script DNS provider that drives admin-supplied hook scripts through certbot's core --manual mode. Any DNS provider without a certbot plugin — Oracle Cloud (#285), in-house DNS, appliance APIs — becomes usable with two shell scripts and zero plugin installs.
Features
custom-scriptDNS provider — configure an auth hook (required) and a cleanup hook (optional); certbot invokes them with the standardCERTBOT_DOMAIN/CERTBOT_VALIDATIONenvironment. The auth hook creates the_acme-challengeTXT record and waits for propagation (an optional per-accountpropagation_secondsis exported asCERTMATE_DNS_PROPAGATION_SECONDS). Multi-account support, settings UI panel and per-certificate selection included; renewals replay the hook paths from certbot's renewal conf. The per-providerdns_propagation_secondssetting reaches the hooks via the same env variable.- Trust model = deploy hooks — scripts are admin-configured and validated at issuance and by the test-provider API endpoint: absolute path, existing, executable, not world-writable (group-writable logs a warning), no whitespace or shell metacharacters (certbot executes hooks through the shell). A broken path fails loudly before certbot ever runs.
POST /api/web/certificates/test-providerperforms a real filesystem validation for this provider (scripts are not executed).
Notes
--manualis certbot core: the plugin-installed preflight is skipped and no entry is added to requirements-extended.- docs/dns-providers.md gains a worked OCI example.