Available DNS providers in ACME package

free4

@svheel The short answer is no. Python is not installed on pfSense, and it is not planned to install it.
One of the main reasons why acme.sh client has been chosen over the well-known certboot, was to avoid installing python.

However, you maybe could subit a Pull Request to acme.sh to get rid of lexicon/python dependency ?

....The reason why transIP is only avaliable using lexicon, may be that that TransIP seems to not have a standard REST API. They instead provide an undocumented SOAP(XML) API. They however provide PHP/Go libraries that you can analyse to understand how the API work.

This API seems to have only one HTTP endpoint for editing DNS (https://api.transip.nl/wsdl/?service=DnsService ), that you always request in POST. You could get or set DNS using XML in the request, and you would receive an XML reply. It's not impossible to reverse how the PHP/Go libs woks, and I guess it would be possible to request this API directly in shell.

wickeren

@svheel said in Available DNS providers in ACME package:

Sorry for replying to this old topic. My domain is also hosted at TransIP and I'm currently resorting to manually updating the certificate of my pfSense box (a Netgate SG-3100).

Late reply, but I settled with DNS alias mode, https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode, with a non-used domain pointing to Cloudflare for DNS. Works perfectly fine and is much more convenient than manual updates.

wickeren

@free4 said in Available DNS providers in ACME package:

....The reason why transIP is only avaliable using lexicon, may be that that TransIP seems to not have a standard REST API. They instead provide an undocumented SOAP(XML) API. They however provide PHP/Go libraries that you can analyse to understand how the API work.

Transip today accounced a new REST API:
https://www.transip.nl/nieuws/de-nieuwe-transip-rest-api-is-live/
Hope this will eliminate the need for lexicon/python and that someone with coding skills is willing to look into this.

jimp

If you haven't already, open a request on the acme.sh repository and let them know.

rle

I stumbled upon:

https://github.com/acmesh-official/acme.sh/wiki/dnsapi#106-use-transip-domain-api

There still appears to be some caveats, but the extent of it at this point in time is for me unclear however.

(As of 21 May 2020) TransIP for example is not yet in the dropdown list of ACME DNS challenge method

jimp

I don't see any code in ACME which would take those parameters. Not currently or ever in the history of the git repository.

This was opened a few weeks ago but has not yet been merged: https://github.com/acmesh-official/acme.sh/pull/2895

So that's what you're waiting on to get merged into ACME and then after that point we can add it to pfSense.

pvk1

@jimp TransIp is now in this list: https://github.com/acmesh-official/acme.sh/wiki/dnsapi#106-use-transip-domain-api
and it seems in the code here: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_transip.sh

Can you please check?

jimp

There is code there now but it requires adding a key file outside of the script, which doesn't align with how all of the others we support work. It won't be simple to add like the others, so it may not show up any time soon in the pfSense ACME package.

morth

Are there any plans to add the Hetzner DNS API to the ACME package? It seems to be available in acme.sh.

Gertjan

Hetzner : it could be as easy as coping this file https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_hetzner.sh into /usr/local/pkg/acme/dnsapi/ , with all the other dns_ files.

Because you use Hetzner, you know all about how Hetzner works.
Something special can be seen at the top 4 lines of the file :

#!/usr/bin/env sh

#
#HETZNER_Token="sdfsdfsdfljlbjkljlkjsdfoiwje"
#

This means : obtain the token from Hetzner, and place it in the file.
And you remove the leading '#'.