Metadata-Version: 2.1
Name: certbot-dns-tencentcloud
Version: 1.3.0
Summary: Tencent Cloud DNS Authenticator plugin for Certbot
Home-page: https://github.com/frefreak/certbot-dns-tencentcloud
Author: Xiangyu Zhu
Author-email: carsonzhu@tencent.com
License: UNKNOWN
Platform: UNKNOWN
Classifier: Environment :: Plugins
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: System :: Installation/Setup
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Description-Content-Type: text/markdown
License-File: LICENSE

# certbot-dns-tencentcloud

This package provides a Certbot authenticator plugin
that can complete the DNS-01 challenge using the Tencent Cloud API.


## Installation

Only Tested on python 3.8, should work on python 3.7 too.

- no plan to support python2
- [dataclasses](https://docs.python.org/3/library/dataclasses.html) is used, so python 3.6 and down will not work. However you can try installing `dataclasses` from pypi.

Use pip to install this package:
```
sudo pip3 install certbot-dns-tencentcloud
```

Verify the installation with Certbot:
```
sudo certbot plugins
```
You should see `dns-tencentcloud` in the output.


## Usage

To use this plugin, set the authenticator to `dns-tencentcloud` via the `-a` or `--authenticator` flag.
You may also set this using Certbot's configuration file (defaults to `/etc/letsencrypt/cli.ini`).

You will also need to provide a credentials file with your Tencent Cloud API key id and secret, like the following:
```
dns_tencentcloud_secret_id  = TENCENT_CLOUD_SECRET_ID
dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY
```
The path to this file can be provided interactively or via the `--dns-tencentcloud-credentials` argument.

**CAUTION:**
Protect your API key as you would the password to your account.
Anyone with access to this file can make API calls on your behalf.
Be sure to **read the security tips below**.


### Arguments

- `--dns-tencentcloud-credentials` path to Tencent Cloud credentials INI file (Required)
- `--dns-tencentcloud-propagation-seconds` seconds to wait before verifying the DNS record (Default: 10)

**NOTE:** Due to a [limitation in Certbot](https://github.com/certbot/certbot/issues/4351),
these arguments *cannot* be set via Certbot's configuration file.


### Example

```
certbot certonly \
  -a dns-tencentcloud \
  --dns-tencentcloud-credentials ~/.secrets/certbot/tencentcloud.ini \
  -d example.com
```


### Security Tips

**Restrict access of your credentials file to the owner.**
You can do this using `chmod 600`.
Certbot will emit a warning if the credentials file
can be accessed by other users on your system.

**Use a separate key from your account's primary API key.**
Make a separate user under your account,
and limit its access to only allow DNS access
and the IP address of the machine(s) that will be using it.

### FAQ

1. Which strategy should I choose to limit my API key access to only allow DNS resolution related operation?

**Response from official team**:

> 感谢反馈。DNS 解析已有 QCloudCNSFullAccess 策略，但需要加白才可使用。后续 DNS 解析会接入 CAM 。

**Translation**:

DNS reslution now already has QCloudCNSFullAccess strategy, but needs whitelist to be able to
use (probably needs ticket?). Later this will be added to CAM (If I understand correctly this
means it will be available just like other strategies).

**Update**:

As of now (2021-06-12) it seems `QCloudCNSFullAccess` may not be usable even by opening a ticket, YMMV.

2. renew certs for `*.abc.com` and `abc.com` sometimes show error about incorrect TXT records.

It seems Let's Encrypt cache TXT records for at most 60 seconds, since DNSPod doesn't seem
to allow setting TXT record's TTL below 60, in this case the best/safest way is to set
`--dns-tencentcloud-propagation-seconds` longer than 60.

3. Debug mode?

```
--dns-tencentcloud-debug true
```


