Yeil/certbot-dns-yeil
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2d5223e503d54155c51b2fb78777fac0706fa9e3
certbot-dns-yeil/README.md
eskimo e6d9e17d1e v3.0.0: authenticate with a yk_ App key, not email/app_password 
The email+app_password -> /api/v1/auth/login bearer mint was retired
with personal app passwords (dns commit 834c90e). Switch to sending a
yeil App key (yk_<keyId>_<secret>) directly as the Bearer token, which
the DNS API's principal auth accepts. Single credential 'dns_yeil_api_key';
removed the login round-trip. BREAKING: existing credential files must
replace email/app_password with an api_key (an App with DNS record-write
permission, minted in team Apps). README + version bumped.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 21:08:30 -04:00

73 lines
2.1 KiB
Markdown
Raw Blame History

# certbot-dns-yeil
yeil DNS Authenticator plugin for [Certbot](https://certbot.eff.org/).
Authenticates to `dns.yeil.app`'s public API with a yeil **App key**
(`yk_...`) sent as a Bearer token, then adds/removes TXT records to
satisfy ACME DNS-01 challenges. Works for any yeil team with an App that
has DNS record-write permission; the certbot host just needs HTTPS
reachability to `dns.yeil.app`.
Wildcard certs require DNS-01, so this plugin (or another DNS
authenticator) is needed for `*.example.com`.
## Installation
```sh
pip install git+https://git.eskimo.dev/Yeil/certbot-dns-yeil.git
```
## Configuration
In your yeil team settings, open **Apps**, create an App, grant it DNS
**record-write** permission on the zone(s) you'll issue certs for, and
mint a key. Drop the key (`yk_...`) into a credentials INI:
```ini
dns_yeil_api_key = yk_xxxxxxxx_yyyyyyyyyyyyyyyyyyyyyyyy
```
`chmod 600` it.
> Migrating from 2.x: the old `dns_yeil_email` / `dns_yeil_app_password`
> login was retired with personal app passwords. Replace those two lines
> with a single `dns_yeil_api_key`.
Optional override if you're testing against a non-production host:
```ini
dns_yeil_base_url = https://dns.staging.example
```
## Usage
```sh
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d smtp.yeil.org \
--preferred-challenges dns
```
For wildcards:
```sh
certbot certonly \
--authenticator dns-yeil \
--dns-yeil-credentials /etc/letsencrypt/yeil.ini \
-d yeil.org -d '*.yeil.org'
```
## How it works
The plugin sends the App key as a Bearer token on every request. For
each requested name it asks the API which of the App's zones covers the
FQDN (`GET /api/v1/zones?suffix_of=<fqdn>`), creates a TXT at
`_acme-challenge.<rel>` (`POST /api/v1/zones/{id}/records`), waits for
propagation, and on cleanup deletes the record by id
(`DELETE /api/v1/zones/{id}/records/{recordId}`).
Revoking the App key (or disabling the App) in your team settings cuts
off access cleanly. The key only carries the DNS permissions you granted
the App, so scope it to record-write on just the zones you need.
Reference in New Issue View Git Blame Copy Permalink