ACME dns-01 challenge reference implementation for Greenlock v2.7+ (and v3).
Go to file
AJ ONeal 7b079bcf3a v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00
.gitignore initial commit 2016-10-14 13:39:54 -06:00
.prettierrc v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00
LICENSE update docs 2019-05-15 23:08:24 -06:00
README.md v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00
index.js v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00
moz_test.js Full test working 2017-06-21 14:15:37 -07:00
package-lock.json v3.0.3: cleanup and consistency (with other refs) 2019-04-06 02:36:52 -06:00
package.json v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00
test.js v3.1.0: support `zones` test, made prettier 2019-06-12 23:53:43 -06:00

README.md

acme-dns-01-cli | a Root project

An extremely simple reference implementation of an ACME (Let's Encrypt) dns-01 challenge strategy.

This generic implementation can be adapted to work with any node.js ACME client, although it was built for Greenlock and ACME.js.

_acme-challenge.example.com   TXT   xxxxxxxxxxxxxxxx    TTL 60
  • Prints the ACME challenge DNS Host and DNS Key Authorization Digest to the terminal
    • (waits for you to hit enter before continuing)
  • Let's you know when the challenge as succeeded or failed, and is safe to remove.

Other ACME Challenge Reference Implementations:

Install

npm install --save acme-dns-01-cli@3.x

If you have greenlock@v2.6 or lower, you'll need the old le-challenge-dns@2.x instead.

Usage

var Greenlock = require('greenlock');

Greenlock.create({
  challenges: {
    'http-01': require('acme-http-01-fs'),
    'dns-01': require('acme-dns-01-cli').create({ debug: true }),
    'tls-alpn-01': require('acme-tls-alpn-01-cli')
  }
  // ...
});

You can also switch between different implementations by overwriting the default with the one that you want in approveDomains():

function approveDomains(opts) {
  // ...
  if (!opts.challenges) { opts.challenges = {}; }
  opts.challenges['dns-01'] = acmeDns01Cli;

  return Promise.resolve({ ... });
}

NOTE: If you request a certificate with 6 domains listed, it will require 6 individual challenges.

Exposed (Promise) Methods

For ACME Challenge:

  • set(opts)
  • remove(opts)

The dns-01 strategy supports wildcards (whereas http-01 does not).

The options object has whatever options were set in approveDomains() as well as the challenge, which looks like this:

{
  "challenge": {
    "identifier": { "type": "dns", "value": "example.com" },
    "wildcard": true,
    "altname": "*.example.com",
    "type": "dns-01",
    "token": "xxxxxx",
    "keyAuthorization": "xxxxxx.abc123",
    "dnsHost": "_acme-challenge.example.com",
    "dnsAuthorization": "xyz567",
    "expires": "1970-01-01T00:00:00Z"
  }
}

For greenlock.js internals:

  • options stores the internal defaults merged with the user-supplied options

Optional:

  • get(limitedOpts)

Note: Typically there wouldn't be a get() for DNS because the NameServer (not Greenlock) answers the requests. It could be used for testing implementations, but that's about it. (though I suppose you could implement it if you happen to run your DNS and webserver together... kinda weird though)

If there were an implementation of Greenlock integrated directly into a NameServer (which currently there is not), it would probably look like this:

{
  "challenge": {
    "type": "dns-01",
    "identifier": { "type": "dns", "value": "example.com" },
    "token": "abc123",
    "dnsHost": "_acme-challenge.example.com"
  }
}

Legal & Rules of the Road

Greenlock™ and Bluecrypt™ are trademarks of AJ ONeal

The rule of thumb is "attribute, but don't confuse". For example:

Built with Greenlock (a Root project).

Please contact us if you have any questions in regards to our trademark, attribution, and/or visible source policies. We want to build great software and a great community.

Greenlock™ | MPL-2.0 | Terms of Use | Privacy Policy