Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for selfhost #2277

Closed
4 of 5 tasks
aifrog opened this issue Sep 17, 2024 · 11 comments · Fixed by #2278
Closed
4 of 5 tasks

Support for selfhost #2277

aifrog opened this issue Sep 17, 2024 · 11 comments · Fixed by #2278

Comments

@aifrog
Copy link

aifrog commented Sep 17, 2024

Welcome

  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, the DNS provider exposes a public API.
  • Yes, I know that the lego maintainers don't have an account in all DNS providers in the world.
  • Yes, I'm able to create a pull request and be able to maintain the implementation.
  • Yes, I'm able to test an implementation if someone creates a pull request to add the support of this DNS provider.

How do you use lego?

Through Traefik

Link to the DNS provider

https://www.selfhost.de

Link to the API documentation

?

Additional Notes

There is an implementation inside acme.sh: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_selfhost.sh

traefik/traefik#11096

@ldez
Copy link
Member

ldez commented Sep 17, 2024

Hello,

can you contact selfhost to get their API documentation?

I need the API documentation:

  • to create a TXT record
  • to delete a TXT record

@aifrog

This comment was marked as off-topic.

@ldez
Copy link
Member

ldez commented Sep 17, 2024

Please don't do that.

The acme.sh script is not an API documentation.

Based on the information I was able to find:

  • SelfHost doesn't have a real API to manage records
  • The current endpoint used by acme.sh implementation is a hack:
    • you need to create "fake" TXT records manually inside the SelfHost UI
    • You can read the following issue if you don't trust me.

So, can you contact SelfHost to ask them to expose a real API, and provide the documentation of this API.

@aifrog
Copy link
Author

aifrog commented Sep 17, 2024

Sorry, wasn't aware of this. I will contact selfhost and ask for the API documention. Hope, that they have a good answer. Thx for your help.

@ldez
Copy link
Member

ldez commented Sep 18, 2024

I asked you to contact SelfHost because nothing will change unless their users request it.

The Lorax

I created an implementation, with the same constraint as the acme.sh implementation: you will need to create TXT records before using lego.

This will be "complex" to configure but this is how the endpoint works 🤷

SelfHost really needs to expose a real API (and public documentation):

  • to create a TXT record (and return at least the ID of this new record)
  • to delete a TXT record (based on the record ID)

So please take a few minutes to get in touch with them, you can link this issue if needed.

@aifrog
Copy link
Author

aifrog commented Sep 18, 2024

I got the following answer. Sorry, its in German. Let me know if I need to translate:

Guten tag,

da wir häufiger in Deutsch kommuniziert haben, hier das notwendigste:

ja solch eine API haben wir, Sie müssen vorher nur einen TXT-Record anlegen. Danach sehen Sie in den Details (Klick auf Ändern) direkt die ID

curl -X POST -F 'username=%USERNAME%' -F 'password=%PASSWORD%' -F 'rid=%RECORDID%' -F 'content=%CONTENT%' https://selfhost.de/cgi-bin/api.pl

bzw. hier die reine Update URL

https://selfhost.de/cgi-bin/api.pl?username=%USERNAME%&password=%PASSWORD%&rid=%RECORDID&content=%CONTENT%

Dies sind die POST & GET Möglichkeit, den Inhalt dieses TXT-Records dann zu ändern.

Beachten Sie: Für diese API ist der Benutzername und das Passwort des Logins, Nicht DynDNS Accounts, notwendig.

@ldez
Copy link
Member

ldez commented Sep 18, 2024

ja solch eine API haben wir, Sie müssen vorher nur einen TXT-Record anlegen. Danach sehen Sie in den Details (Klick auf Ändern) direkt die ID

This is not professional for SelfHost to answer that.

The endpoint, because it's just an undocumented endpoint and not a real API, is only to update an existing record.
This endpoint is not what all ACME clients expect.
An ACME client, like lego, expects an API to handle the creation and deletion of records, not to update existing records by using IDs grabbed manually from the UI.

So, could you try to explain that to SelfHost?
Don't hesitate to send them this issue.

In all cases, I created PR #2278 as explained in my previous message, can you try it?

@aifrog
Copy link
Author

aifrog commented Sep 18, 2024

I will try, however I am traveling right now and it will take some time. I also explained to selfhost and will let you know their feedback. Thx!

@aifrog
Copy link
Author

aifrog commented Sep 18, 2024

Feedback from Selfhost, did my best - and will test your solution as soon as possible:

Das wurde bisher von allen Stellen so akzteptiert und... ob legal oder illegal (offiziell gilt diese Schnittstelle nur als Beta und wurde nicht veröffentlich, aber eine Kunden agierten anders) so eingebaut wenn es möglich war.

Wenn die sich dagegen streuben, eine API einzubinden, die den _acme-challenge TXT-Record anpassen der für die DNS-Authentifizierung für Let's Encrypt einwandfrei bisher funktionierte, dann tut es uns leid. Aber wir können keine Api mit erstellung udn Löschung einer DNS allein dienen, da dies eine Gefährdung der DNS selbst ist.

Also kurz um: nein. Unsere Lösung hat bisher jeden zufrieden gestellt, hier können wir nichts weiter tun.

@ldez
Copy link
Member

ldez commented Sep 18, 2024

What a joke...

Das wurde bisher von allen Stellen so akzteptiert und...
...
Unsere Lösung hat bisher jeden zufrieden gestellt, hier können wir nichts weiter tun.

Their API doesn't satisfy anyone, we just use what we have, because they don't give any other choice.

Aber wir können keine Api mit erstellung udn Löschung einer DNS allein dienen, da dies eine Gefährdung der DNS selbst ist.

lego has around 140 DNS providers, so I think I know very well the API of DNS providers, and all the DNS providers in the world provide an API to add and delete records, there is no threat against the DNS itself.

ob legal oder illegal (offiziell gilt diese Schnittstelle nur als Beta und wurde nicht veröffentlich, aber eine Kunden agierten anders) so eingebaut wenn es möglich war.

It's a shame to say that.

  1. Inside the first email, they didn't talk about "beta"/"unpublished" API or any limitation of the endpoint usage.
  2. They are trying to put shame on customers to use what they said...

So, SelfHost, if you are reading this issue, please improve your API.

@ldez
Copy link
Member

ldez commented Sep 20, 2024

@aifrog I hope you enjoyed my work, please consider donating or asking your company to do so.
This will be appreciated, thank you ❤️

https://github.com/sponsors/ldez

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

2 participants