Metadata-Version: 2.1
Name: certbot-dns-tencentcloud
Version: 1.2.0
Summary: Tencent Cloud DNS Authenticator plugin for Certbot
Home-page: https://github.com/frefreak/certbot-dns-tencentcloud
Author: Xiangyu Zhu
Author-email: carsonzhu@tencent.com
License: UNKNOWN
Platform: UNKNOWN
Classifier: Environment :: Plugins
Classifier: Intended Audience :: System Administrators
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Classifier: Topic :: System :: Installation/Setup
Classifier: Topic :: System :: Networking
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Description-Content-Type: text/markdown
License-File: LICENSE

# certbot-dns-tencentcloud

This package provides a Certbot authenticator plugin
that can complete the DNS-01 challenge using the Tencent Cloud API.


## Installation

Only Tested on python 3.8, should work on python 3.7 too.

- no plan to support python2
- [dataclasses](https://docs.python.org/3/library/dataclasses.html) is used, so python 3.6 and down will not work. However you can try installing `dataclasses` from pypi.

Use pip to install this package:
```
sudo pip3 install certbot-dns-tencentcloud
```

Verify the installation with Certbot:
```
sudo certbot plugins
```
You should see `dns-tencentcloud` in the output.


## Usage

To use this plugin, set the authenticator to `dns-tencentcloud` via the `-a` or `--authenticator` flag.
You may also set this using Certbot's configuration file (defaults to `/etc/letsencrypt/cli.ini`).

You will also need to provide a credentials file with your Tencent Cloud API key id and secret, like the following:
```
dns_tencentcloud_secret_id  = TENCENT_CLOUD_SECRET_ID
dns_tencentcloud_secret_key = TENCENT_CLOUD_SECRET_KEY
```
The path to this file can be provided interactively or via the `--dns-tencentcloud-credentials` argument.

**CAUTION:**
Protect your API key as you would the password to your account.
Anyone with access to this file can make API calls on your behalf.
Be sure to **read the security tips below**.


### Arguments

- `--dns-tencentcloud-credentials` path to Tencent Cloud credentials INI file (Required)
- `--dns-tencentcloud-propagation-seconds` seconds to wait before verifying the DNS record (Default: 10)

**NOTE:** Due to a [limitation in Certbot](https://github.com/certbot/certbot/issues/4351),
these arguments *cannot* be set via Certbot's configuration file.


### Example

```
certbot certonly \
  -a dns-tencentcloud \
  --dns-tencentcloud-credentials ~/.secrets/certbot/tencentcloud.ini \
  -d example.com
```


### Security Tips

**Restrict access of your credentials file to the owner.**
You can do this using `chmod 600`.
Certbot will emit a warning if the credentials file
can be accessed by other users on your system.

**Use a separate key from your account's primary API key.**
Make a separate user under your account,
and limit its access to only allow DNS access
and the IP address of the machine(s) that will be using it.

### FAQ

1. Which strategy should I choose to limit my API key access to only allow DNS resolution related operation?

~~Currently it seems there's no specific strategy corresponding to this, and sadly the only strategy I tried that worked is **QCloudResourceFullAccess**. Trying to negotiate with tencent cloud team to support this is on my todo-list though.~~

Response Updated: 感谢反馈。DNS 解析已有 QCloudCNSFullAccess 策略，但需要加白才可使用。后续 DNS 解析会接入 CAM 。

DNS reslution now already has QCloudCNSFullAccess strategy, but needs whitelist to be able to use (probably needs ticket?). Later this will be added to CAM (If I understand correctly this means it will be available just like other strategies).


