Yeil/certbot-dns-yeil
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8 Commits 1 Branch 0 Tags
b73140cf1537694f85570cec55e4c18cbbc30996
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
eskimo b73140cf15 chore: make plugin publish-safe for PyPI 
Remove private git.eskimo.dev URLs (README install -> `pip install
certbot-dns-yeil`; setup.py url -> docs.yeil.app/dns). Update README to the
api.yeil.app/v1/dns gateway + gateway-relative paths. Flesh out setup.py
metadata (long_description from README, classifiers, python_requires,
project_urls, keywords). Add an MIT LICENSE file and a Python .gitignore
(so build/ dist/ *.egg-info/ __pycache__ stay out of the repo).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 23:52:45 -04:00
certbot_dns_yeil
feat: point plugin at api.yeil.app/v1/dns gateway (v3.1.0)
2026-06-22 23:25:03 -04:00
.gitignore
chore: make plugin publish-safe for PyPI
2026-06-22 23:52:45 -04:00
LICENSE
chore: make plugin publish-safe for PyPI
2026-06-22 23:52:45 -04:00
README.md
chore: make plugin publish-safe for PyPI
2026-06-22 23:52:45 -04:00
setup.py
chore: make plugin publish-safe for PyPI
2026-06-22 23:52:45 -04:00

README.md

certbot-dns-yeil

yeil DNS Authenticator plugin for Certbot.

Authenticates to the yeil public DNS API (https://api.yeil.app/v1/dns) with a yeil App key (yk_...) sent as a Bearer token, then adds/removes TXT records to satisfy ACME DNS-01 challenges. Works for any yeil team with an App that has DNS record-write permission; the certbot host just needs HTTPS reachability to api.yeil.app.

Wildcard certs require DNS-01, so this plugin (or another DNS authenticator) is needed for *.example.com.

Full API docs: https://docs.yeil.app/dns.

Installation

pip install certbot-dns-yeil

Configuration

In your yeil team settings, open Apps, create an App, grant it DNS record-write permission on the zone(s) you'll issue certs for, and mint a key. Drop the key (yk_...) into a credentials INI:

dns_yeil_api_key = yk_xxxxxxxx_yyyyyyyyyyyyyyyyyyyyyyyy

chmod 600 it.

Migrating from 2.x: the old dns_yeil_email / dns_yeil_app_password login was retired with personal app passwords. Replace those two lines with a single dns_yeil_api_key.

Optional override if you're testing against a non-production API base:

dns_yeil_base_url = https://api.staging.example/v1/dns

Usage

certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d smtp.yeil.org \
  --preferred-challenges dns

For wildcards:

certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/yeil.ini \
  -d yeil.org -d '*.yeil.org'

How it works

The plugin sends the App key as a Bearer token on every request to https://api.yeil.app/v1/dns. For each requested name it asks the API which of the App's zones covers the FQDN (GET /zones?suffix_of=<fqdn>), creates a TXT at _acme-challenge.<rel> (POST /zones/{id}/records), waits for propagation, and on cleanup deletes the record by id (DELETE /zones/{id}/records/{recordId}).

Revoking the App key (or disabling the App) in your team settings cuts off access cleanly. The key only carries the DNS permissions you granted the App, so scope it to record-write on just the zones you need.

License

MIT. See LICENSE.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme MIT 56 KiB
Languages
Python 100%