From 514619b44ab9927f3922e6bfac5096eadd304bce Mon Sep 17 00:00:00 2001
From: John Supplee <john@supplee.com>
Date: Mon, 11 Feb 2019 16:05:50 +0200
Subject: [PATCH] setup dns authentication for letsencrypt

---
 .gitignore                     | 1 +
 management/ssl_certificates.py | 6 +++++-
 tools/dns-auth.sh              | 8 ++++++++
 tools/dns-cleanup.sh           | 8 ++++++++
 4 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100755 tools/dns-cleanup.sh

diff --git a/.gitignore b/.gitignore
index f3cdb1bc..94072693 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ tools/__pycache__/
 externals/
 .env
 .vagrant
+.idea/
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 76b0f8fa..6d433b54 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -313,6 +313,7 @@ def provision_certificates(env, limit_domains):
 				webroot = os.path.join(account_path, 'webroot')
 				os.makedirs(webroot, exist_ok=True)
 				with tempfile.TemporaryDirectory() as d:
+					miab_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 					cert_file = os.path.join(d, 'cert_and_chain.pem')
 					print("Provisioning TLS certificates for " + ", ".join(domain_list) + ".")
 					certbotret = subprocess.check_output([
@@ -328,7 +329,10 @@ def provision_certificates(env, limit_domains):
 						"--chain-path", os.path.join(d, 'chain'), # we only use the full chain
 						"--fullchain-path", cert_file,
 
-						"--webroot", "--webroot-path", webroot,
+						"--manual",
+						"--preferred-challenge", "dns",
+						"--manual-auth-hook", os.path.join(miab_dir, "/tools/dns-auth.sh"),
+						"--manual-cleanup-hook", os.path.join(miab_dir, "/tools/dns-cleanup.sh"),
 
 						"--config-dir", account_path,
 						#"--staging",
diff --git a/tools/dns-auth.sh b/tools/dns-auth.sh
index 20d602bd..e3ee77c8 100755
--- a/tools/dns-auth.sh
+++ b/tools/dns-auth.sh
@@ -1,2 +1,10 @@
 #!/usr/bin/env bash
 
+# TODO: Make work with port other than 443
+
+API_KEY=`cat /var/lib/mailinabox/api.key`
+HOSTNAME=`hostname`
+
+curl -s -X PUT -d "$CERTBOT_VALIDATION" --user "$API_KEY:" https://$HOSTNAME/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/TXT
+
+sleep 15
diff --git a/tools/dns-cleanup.sh b/tools/dns-cleanup.sh
new file mode 100755
index 00000000..f9ac582d
--- /dev/null
+++ b/tools/dns-cleanup.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# TODO: Make work with port other than 443
+
+API_KEY=`cat /var/lib/mailinabox/api.key`
+HOSTNAME=`hostname`
+
+curl -s -X DELETE --user "$API_KEY:" https://$HOSTNAME/admin/dns/custom/_acme-challenge.$CERTBOT_DOMAIN/TXT
\ No newline at end of file