chore: update lego configurations

0xJacky · Jul 20, 2024 · 7a9aa3a · 7a9aa3a
1 parent 7f3f23d
commit 7a9aa3a
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 4 deletions.
diff --git a/internal/cert/config/designate.toml b/internal/cert/config/designate.toml
@@ -63,6 +63,7 @@ Public cloud providers with support for Designate:
   [Configuration.Additional]
     OS_PROJECT_ID = "Project ID"
     OS_TENANT_NAME = "Tenant name (deprecated see OS_PROJECT_NAME and OS_PROJECT_ID)"
+    DESIGNATE_ZONE_NAME = "The zone name to use in the OpenStack Project to manage TXT records."
     DESIGNATE_POLLING_INTERVAL = "Time between DNS propagation check"
     DESIGNATE_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"
     DESIGNATE_TTL = "The TTL of the TXT record used for the DNS challenge"

diff --git a/internal/cert/config/dode.toml b/internal/cert/config/dode.toml
@@ -20,4 +20,4 @@ lego --email [email protected] --dns dode --domains my.example.org run
     DODE_SEQUENCE_INTERVAL = "Time between sequential requests"
 
 [Links]
-  API = "https://www.do.de/wiki/LetsEncrypt_-_Entwickler"
+  API = "https://www.do.de/wiki/freie-ssl-tls-zertifikate-ueber-acme/"
diff --git a/internal/cert/config/godaddy.toml b/internal/cert/config/godaddy.toml
@@ -10,6 +10,15 @@ GODADDY_API_SECRET=yyyyyyyy \
 lego --email [email protected] --dns godaddy --domains my.example.org run
 '''
 
+Additional = '''
+GoDaddy has recently (2024-04) updated the account requirements to access parts of their production Domains API:
+
+- Availability API: Limited to accounts with 50 or more domains.
+- Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.
+
+https://community.letsencrypt.org/t/getting-unauthorized-url-error-while-trying-to-get-cert-for-subdomains/217329/12
+'''
+
 [Configuration]
   [Configuration.Credentials]
     GODADDY_API_KEY = "API key"

diff --git a/internal/cert/config/ovh.toml b/internal/cert/config/ovh.toml
@@ -5,11 +5,20 @@ Code = "ovh"
 Since = "v0.4.0"
 
 Example = '''
+# Application Key authentication:
+
 OVH_APPLICATION_KEY=1234567898765432 \
 OVH_APPLICATION_SECRET=b9841238feb177a84330febba8a832089 \
 OVH_CONSUMER_KEY=256vfsd347245sdfg \
 OVH_ENDPOINT=ovh-eu \
 lego --email [email protected] --dns ovh --domains my.example.org run
+
+# Or OAuth2:
+
+OVH_CLIENT_ID=yyy \
+OVH_CLIENT_SECRET=xxx \
+OVH_ENDPOINT=ovh-eu \
+lego --email [email protected] --dns ovh --domains my.example.org run
 '''
 
 Additional = '''
@@ -33,14 +42,32 @@ When requesting the consumer key, the following configuration can be used to def
   ]
 }
 ```
+
+## OAuth2 Client Credentials
+
+Another method for authentication is by using OAuth2 client credentials.
+
+An IAM policy and service account can be created by following the [OVH guide](https://help.ovhcloud.com/csm/en-manage-service-account?id=kb_article_view&sysparm_article=KB0059343).
+
+Following IAM policies need to be authorized for the affected domain:
+
+* dnsZone:apiovh:record/create
+* dnsZone:apiovh:record/delete
+* dnsZone:apiovh:refresh
+
+## Important Note
+
+Both authentication methods cannot be used at the same time.
 '''
 
 [Configuration]
   [Configuration.Credentials]
     OVH_ENDPOINT = "Endpoint URL (ovh-eu or ovh-ca)"
-    OVH_APPLICATION_KEY = "Application key"
-    OVH_APPLICATION_SECRET = "Application secret"
-    OVH_CONSUMER_KEY = "Consumer key"
+    OVH_APPLICATION_KEY = "Application key (Application Key authentication)"
+    OVH_APPLICATION_SECRET = "Application secret (Application Key authentication)"
+    OVH_CONSUMER_KEY = "Consumer key (Application Key authentication)"
+    OVH_CLIENT_ID = "Client ID (OAuth2)"
+    OVH_CLIENT_SECRET = "Client secret (OAuth2)"
   [Configuration.Additional]
     OVH_POLLING_INTERVAL = "Time between DNS propagation check"
     OVH_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation"

diff --git a/internal/cert/config/route53.toml b/internal/cert/config/route53.toml
@@ -131,6 +131,7 @@ Replace `Z11111112222222333333` with your hosted zone ID and `example.com` with
     AWS_SDK_LOAD_CONFIG = "Managed by the AWS client. Retrieve the region from the CLI config file (`AWS_SDK_LOAD_CONFIG_FILE` is not supported)"
     AWS_ASSUME_ROLE_ARN = "Managed by the AWS Role ARN (`AWS_ASSUME_ROLE_ARN_FILE` is not supported)"
     AWS_EXTERNAL_ID = "Managed by STS AssumeRole API operation (`AWS_EXTERNAL_ID_FILE` is not supported)"
+    AWS_WAIT_FOR_RECORD_SETS_CHANGED = "Wait for changes to be INSYNC (it can be unstable)"
   [Configuration.Additional]
     AWS_SHARED_CREDENTIALS_FILE = "Managed by the AWS client. Shared credentials file."
     AWS_MAX_RETRIES = "The number of maximum returns the service will use to make an individual API request"