Add a most robust example that doesn't wipe out existing TXT records

2026-03-29 05:11:48 +02:00 · 2018-10-10 11:20:33 -06:00
parent 61ad57f0a3
commit f4f4b47d52
1 changed files with 73 additions and 1 deletions
--- a/Example-of-DNS-01-via-GoDaddy-API.md
+++ b/Example-of-DNS-01-via-GoDaddy-API.md
@@ -1,3 +1,5 @@
+## Basic
+
    #!/usr/bin/env bash
    
    #
@@ -28,4 +30,74 @@
            echo Unknown hook "${1}"
            exit 1
            ;;
-    esac
+    esac
+
+## More Robust
+
+This example requires user interaction to verify that the DNS has propagated (via `nslookup`) before continuing.  
+And the DNS updates don't wipe out other existing TXT records (see https://github.com/lukas2511/dehydrated/issues/430).
+The `deploy_cert` example is specific to nginx and comes from https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh
+
+    #!/usr/bin/env bash
+
+    # Hook script for dns-01 challenge via GoDaddy API
+    #
+    # https://developer.godaddy.com/doc#!/_v1_domains
+    # https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh
+
+    set -e
+    set -u
+    set -o pipefail
+
+    GODADDY_KEY='example-key'
+    GODADDY_SECRET='example-secret'
+
+    deploy_challenge() {
+      local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+      echo -n " - Sending TXT record to GoDaddy _acme-challenge.${DOMAIN}=${TOKEN_VALUE}"
+      curl -X PUT https://api.godaddy.com/v1/domains/${DOMAIN}/records/TXT/_acme-challenge \
+        -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
+        -H "Content-Type: application/json" \
+        -d "[{\"name\": \"_acme-challenge\", \"ttl\": 600, \"data\": \"${TOKEN_VALUE}\"}]"
+      echo
+      echo " - Waiting for DNS to propagate."
+      while
+        sleep 10
+        nslookup -q=TXT "_acme-challenge.${DOMAIN}"
+        read -r -p "Does nslookup show the token yet? [y/N] " response
+      do
+        case "$response" in
+          [yY][eE][sS]|[yY])
+            break;
+            ;;
+          *)
+            echo " - Waiting a little longer"
+            ;;
+        esac
+      done
+    }
+
+    clean_challenge() {
+      local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+      echo -n " - Removing TXT record from GoDaddy _acme-challenge.${DOMAIN}=--removed--"
+      curl -X PUT https://api.godaddy.com/v1/domains/${DOMAIN}/records/TXT/_acme-challenge \
+        -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
+        -H "Content-Type: application/json" \
+        -d "[{\"name\": \"_acme-challenge\", \"ttl\": 600, \"data\": \"--removed--\"}]"
+      echo
+    }
+
+    deploy_cert() {
+      cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+      systemctl reload nginx
+    }
+
+    unchanged_cert() {
+      local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
+      echo "The $DOMAIN certificate is still valid and therefore wasn't reissued."
+    }
+
+    HANDLER="$1"; shift
+    if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert)$ ]]; then
+      "$HANDLER" "$@"
+    fi