From f4f4b47d52aea61940ae9381b33c78ec8b04cd9d Mon Sep 17 00:00:00 2001
From: Daniel Esplin <daniel@storageunitsoftware.com>
Date: Wed, 10 Oct 2018 11:20:33 -0600
Subject: [PATCH] Add a most robust example that doesn't wipe out existing TXT
 records

---
 Example-of-DNS-01-via-GoDaddy-API.md | 74 +++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

diff --git a/Example-of-DNS-01-via-GoDaddy-API.md b/Example-of-DNS-01-via-GoDaddy-API.md
index 0bd7f9b..251a958 100644
--- a/Example-of-DNS-01-via-GoDaddy-API.md
+++ b/Example-of-DNS-01-via-GoDaddy-API.md
@@ -1,3 +1,5 @@
+## Basic
+
     #!/usr/bin/env bash
     
     #
@@ -28,4 +30,74 @@
             echo Unknown hook "${1}"
             exit 1
             ;;
-    esac
\ No newline at end of file
+    esac
+
+## More Robust
+
+This example requires user interaction to verify that the DNS has propagated (via `nslookup`) before continuing.  
+And the DNS updates don't wipe out other existing TXT records (see https://github.com/lukas2511/dehydrated/issues/430).
+The `deploy_cert` example is specific to nginx and comes from https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh
+
+    #!/usr/bin/env bash
+
+    # Hook script for dns-01 challenge via GoDaddy API
+    #
+    # https://developer.godaddy.com/doc#!/_v1_domains
+    # https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh
+
+    set -e
+    set -u
+    set -o pipefail
+
+    GODADDY_KEY='example-key'
+    GODADDY_SECRET='example-secret'
+
+    deploy_challenge() {
+      local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+      echo -n " - Sending TXT record to GoDaddy _acme-challenge.${DOMAIN}=${TOKEN_VALUE}"
+      curl -X PUT https://api.godaddy.com/v1/domains/${DOMAIN}/records/TXT/_acme-challenge \
+        -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
+        -H "Content-Type: application/json" \
+        -d "[{\"name\": \"_acme-challenge\", \"ttl\": 600, \"data\": \"${TOKEN_VALUE}\"}]"
+      echo
+      echo " - Waiting for DNS to propagate."
+      while
+        sleep 10
+        nslookup -q=TXT "_acme-challenge.${DOMAIN}"
+        read -r -p "Does nslookup show the token yet? [y/N] " response
+      do
+        case "$response" in
+          [yY][eE][sS]|[yY])
+            break;
+            ;;
+          *)
+            echo " - Waiting a little longer"
+            ;;
+        esac
+      done
+    }
+
+    clean_challenge() {
+      local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+      echo -n " - Removing TXT record from GoDaddy _acme-challenge.${DOMAIN}=--removed--"
+      curl -X PUT https://api.godaddy.com/v1/domains/${DOMAIN}/records/TXT/_acme-challenge \
+        -H "Authorization: sso-key ${GODADDY_KEY}:${GODADDY_SECRET}" \
+        -H "Content-Type: application/json" \
+        -d "[{\"name\": \"_acme-challenge\", \"ttl\": 600, \"data\": \"--removed--\"}]"
+      echo
+    }
+
+    deploy_cert() {
+      cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+      systemctl reload nginx
+    }
+
+    unchanged_cert() {
+      local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
+      echo "The $DOMAIN certificate is still valid and therefore wasn't reissued."
+    }
+
+    HANDLER="$1"; shift
+    if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert)$ ]]; then
+      "$HANDLER" "$@"
+    fi
\ No newline at end of file