Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Plugin for certbot to obtain certificates using a DNS TXT record for Porkbun domains
Plugin for certbot to obtain certificates using a DNS TXT record for Porkbun domains
certbot_dns_porkbun is a plugin for certbot. It handles the TXT record for the DNS-01 challenge for Porkbun domains. The plugin takes care of the creation and deletion of the TXT record using the Porkbun API.
If you want to use the docker image, then you don't need any requirements other than a working docker installation and can proceed directly with the usage
You need at least version 3.7
of Python installed. If you want to install the plugin with pip, then you must also have
pip installed beforehand.
If you already have certbot installed, make sure you have at least version 1.18.0
installed. When you installed
certbot as snap then you have to use the snap installation of the plugin.
You can check what version of certbot is installed with this command:
certbot --version
If you don't have certbot installed yet, then the PyPI version of certbot will be installed automatically during the installation.
Note: If you want to run certbot with root privileges, then you need to install the plugin as root too. Otherwise, certbot cannot find the plugin.
Use the following command to install certbot_dns_porkbun with pip:
pip3 install certbot_dns_porkbun
You can also very easily update to the newest version:
pip3 install certbot_dns_porkbun -U
If you prefer to install the plugin from the source code:
git clone https://github.com/infinityofspace/certbot_dns_porkbun.git
cd certbot_dns_porkbun
pip3 install .
If you use the certbot as snap package then you have to install certbot_dns_porkbun as a snap too:
snap install certbot-dns-porkbun
Now connect the certbot snap installation with the plugin snap installation:
sudo snap connect certbot:plugin certbot-dns-porkbun
The following command should now list dns-porkbun
as an installed plugin:
certbot plugins
Note: By default, Porkbun domains cannot be controlled through the API. This will cause an error when you generate certificates. Ensure that you have enabled API Access in your domain's settings to avoid this. If you haven't already, be sure to also delete the (default) parked domain ALIAS records, as not doing so may cause errors.
To check if the plugin is installed and detected properly by certbot, you can use the following command:
certbot plugins
The resulting list should include dns-porkbun
if everything went fine.
You can either use cli parameters to pass authentication information to certbot:
...
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret>
Or to prevent your credentials from showing up in your bash history, you can also create a
credentials-file porkbun.ini
(the name does not matter) with the following content:
dns_porkbun_key=<your-porkbun-api-key>
dns_porkbun_secret=<your-porkbun-api-secret>
And then instead of using the --dns-porkbun-key
and --dns-porkbun-secret
parameters above you can use
...
--dns-porkbun-credentials </path/to/your/porkbun.ini>
You can also mix these usages, though the cli parameters always take precedence over the ini file.
Below are some examples of how to use the plugin.
Generate a certificate with a DNS-01 challenge for the domain example.org
:
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "example.com"
Generate a wildcard certificate with a DNS-01 challenge for all subdomains *.example.com
(Note: the wildcard
certificate does not contain the root domain itself):
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "*.example.com"
Generate a certificate with a DNS-01 challenge for the domain example.org
using a credentials ini file:
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-credentials </path/to/your/porkbun.ini> \
--dns-porkbun-propagation-seconds 60 \
-d "example.com"
Generate a certificate with a DNS-01 challenge for the domain example.com
without an account (i.e. without an email
address):
certbot certonly \
--non-interactive \
--agree-tos \
--register-unsafely-without-email \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "example.com"
Generate a staging certificate (i.e. temporary testing certificate) with a DNS-01 challenge for the
domain example.com
:
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "example.com" \
--staging
The DNS-01 challenge specification allows to forward the challenge to another domain by CNAME entries and thus to perform the validation from another domain.
For example, we have the domain example.com
and mydomain.com
. The nameservers of example.com
domain are the
Porkbun nameserver and mydomain.com
is somewhere else.
In order to perform a DNS-01 challenge for the domain mydomain.com
, we only need to add this
_acme-challenge.mydomain.com
to _acme-challenge.example.com
CNAME entry in advance:
_acme-challenge.mydomain.com. 600 IN CNAME _acme-challenge.example.com.
Then we can use our Porkbun domain for the actual DNS-01 challenge.
The procedure is identical as if we perform a DNS-01 challenge for a Porkbun domain, except that the domain name for
which we perform the challenge is now mydomain.com
instead of Porkbun's example.com
.
certbot certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "mydomain.com"
What happens in the background is that the CNAME entry is followed to the end and then a TXT entry is created with the
form _acme-challenge.example.com.
for the found example.com
Prokbun domain.
Thus, during the challenge of this example, the DNS would look like this:
_acme-challenge.mydomain.com. 600 IN CNAME _acme-challenge.example.com.
_acme-challenge.example.com. 60 TXT "a8sdhb09a7sbd08ashd90ashd90a8hsa9usd"
You can find al list of all available certbot cli options in the official documentation of certbot.
You can simply start a new container and use the same certbot commands to obtain a new certificate:
docker run -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" infinityofspace/certbot_dns_porkbun:latest \
certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-key <your-porkbun-api-key> \
--dns-porkbun-secret <your-porkbun-api-secret> \
--dns-porkbun-propagation-seconds 60 \
-d "example.com"
Or you can use a credentials file:
docker run -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" -v "/absolute/path/to/your/porkbun.ini:/conf/porkbun.ini" infinityofspace/certbot_dns_porkbun:latest \
certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-credentials /conf/porkbun.ini \
--dns-porkbun-propagation-seconds 60 \
-d "example.com"
First get the source code:
git clone https://github.com/infinityofspace/certbot_dns_porkbun.git
cd certbot_dns_porkbun
Now create a virtual environment, activate it and install all dependencies with the following commands:
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt
Now you can start developing.
Feel free to contribute to this project by creating a pull request. Before you create a pull request, make sure that you code meets the following requirements (you can use the specified commands to check/fulfill the requirements):
python -m unittest tests/*.py
ruff format
flake8 certbot_dns_porkbun --count --ignore E501 --show-source --statistics
pylint certbot_dns_porkbun --disable C0301
You can run the tests with the following command:
python -m unittest tests/*.py
All modules used by this project are listed below:
Name | License |
---|---|
certbot | Apache 2.0 |
setuptools | MIT |
pkb_client | MIT |
dnspython | ISC |
tldextract | BSD 3-Clause |
Furthermore, this readme file contains embeddings of Shields.io.
MIT - Copyright (c) Marvin Heptner
FAQs
Plugin for certbot to obtain certificates using a DNS TXT record for Porkbun domains
We found that certbot-dns-porkbun demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.