setup dns authentication for letsencrypt

.gitignore

@@ -5,3 +5,4 @@ tools/__pycache__/
 externals/
 .env
 .vagrant
+.idea/

management/ssl_certificates.py

@@ -313,6 +313,7 @@ def provision_certificates(env, limit_domains):
 				webroot = os.path.join(account_path, 'webroot')
 				os.makedirs(webroot, exist_ok=True)
 				with tempfile.TemporaryDirectory() as d:
+					miab_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 					cert_file = os.path.join(d, 'cert_and_chain.pem')
 					print("Provisioning TLS certificates for " + ", ".join(domain_list) + ".")
 					certbotret = subprocess.check_output([
@@ -328,7 +329,10 @@ def provision_certificates(env, limit_domains):
 						"--chain-path", os.path.join(d, 'chain'), # we only use the full chain
 						"--fullchain-path", cert_file,
 
-						"--webroot", "--webroot-path", webroot,
+						"--manual",
+						"--preferred-challenge", "dns",
+						"--manual-auth-hook", os.path.join(miab_dir, "/tools/dns-auth.sh"),
+						"--manual-cleanup-hook", os.path.join(miab_dir, "/tools/dns-cleanup.sh"),
 
 						"--config-dir", account_path,
 						#"--staging",

tools/dns-auth.sh

@@ -1,2 +1,10 @@
 #!/usr/bin/env bash
 
+# TODO: Make work with port other than 443
+
+API_KEY=`cat /var/lib/mailinabox/api.key`
+HOSTNAME=`hostname`
+
+curl -s -X PUT -d "$CERTBOT_VALIDATION" --user "$API_KEY:" https://$HOSTNAME/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/TXT
+
+sleep 15

tools/dns-cleanup.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# TODO: Make work with port other than 443
+
+API_KEY=`cat /var/lib/mailinabox/api.key`
+HOSTNAME=`hostname`
+
+curl -s -X DELETE --user "$API_KEY:" https://$HOSTNAME/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/TXT