Merge pull request #387 from Neilpang/master

sync

README.md

@@ -1,4 +1,4 @@
-# An ACME Shell script: acme.sh
+# An ACME Shell script: acme.sh [![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)
 - An ACME protocol client written purely in Shell (Unix shell) language.
 - Fully ACME protocol implementation.
 - Simple, powerful and very easy to use. You only need 3 minutes to learn.
@@ -256,6 +256,7 @@ You don't have do anything manually!
    (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
 9. LuaDNS.com API
 10. DNSMadeEasy.com API
+11. nsupdate
 
 ##### More APIs are coming soon...
 

acme.sh

@@ -3592,6 +3592,11 @@ _initconf() {
 #
 #GD_Secret=\"sADDsdasdfsdfdssdgdsf\"
 
+#######################
+#nsupdate:
+#NSUPDATE_KEY=\"/path/to/update.key\"
+#NSUPDATE_SERVER=\"192.168.0.1\"
+
 #######################
 #PowerDNS:
 #PDNS_Url=\"http://ns.example.com:8081\"

dnsapi/README.md

@@ -1,6 +1,6 @@
 # How to use dns api
 
-## Use CloudFlare domain api to automatically issue cert
+## 1. Use CloudFlare domain api to automatically issue cert
 
 For now, we support clourflare integeration.
 
@@ -22,7 +22,7 @@ The `CF_Key` and `CF_Email`  will be saved in `~/.acme.sh/account.conf`, when ne
 
 
 
-## Use Dnspod.cn domain api to automatically issue cert
+## 2. Use Dnspod.cn domain api to automatically issue cert
 
 For now, we support dnspod.cn integeration.
 
@@ -43,7 +43,7 @@ acme.sh   --issue   --dns dns_dp   -d example.com  -d www.example.com
 The `DP_Id` and `DP_Key`  will be saved in `~/.acme.sh/account.conf`, when next time you use dnspod.cn api, it will reuse this key.
 
 
-## Use Cloudxns.com domain api to automatically issue cert
+## 3. Use Cloudxns.com domain api to automatically issue cert
 
 For now, we support Cloudxns.com integeration.
 
@@ -64,7 +64,7 @@ acme.sh   --issue   --dns dns_cx   -d example.com  -d www.example.com
 The `CX_Key` and `CX_Secret`  will be saved in `~/.acme.sh/account.conf`, when next time you use Cloudxns.com api, it will reuse this key.
 
 
-## Use Godaddy.com domain api to automatically issue cert
+## 4. Use Godaddy.com domain api to automatically issue cert
 
 We support Godaddy integration.
 
@@ -89,7 +89,7 @@ acme.sh   --issue   --dns dns_gd   -d example.com  -d www.example.com
 
 The `GD_Key` and `GD_Secret`  will be saved in `~/.acme.sh/account.conf`, when next time you use cloudflare api, it will reuse this key.
 
-## Use PowerDNS embedded api to automatically issue cert
+## 5. Use PowerDNS embedded api to automatically issue cert
 
 We support PowerDNS embedded API integration.
 
@@ -112,31 +112,61 @@ acme.sh   --issue   --dns dns_pdns   -d example.com  -d www.example.com
 
 The `PDNS_Url`, `PDNS_ServerId`, `PDNS_Token` and `PDNS_Ttl` will be saved in `~/.acme.sh/account.conf`.
 
-## Use OVH/kimsufi/soyoustart/runabove API
 
-https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
-
-# Use custom api
+## 6. Use OVH/kimsufi/soyoustart/runabove API
 
-If your api is not supported yet,  you can write your own dns api.
+https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
 
-Let's assume you want to name it 'myapi',
+## 7. Use nsupdate to automatically issue cert
 
-1. Create a bash script named  `~/.acme.sh/dns_myapi.sh`,
-2. In the script, you must have a function named `dns_myapi_add()`. Which will be called by acme.sh to add dns records.
-3. Then you can use your api to issue cert like:
+First, generate a key for updating the zone
+```
+b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
+cat > /etc/named/keys/update.key <<EOF
+key "update" {
+    algorithm hmac-sha512;
+    secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
+};
+EOF
+rm -f /tmp/$b.{private,key}
+```
 
+Include this key in your named configuration
 ```
-acme.sh  --issue  --dns  dns_myapi  -d example.com  -d www.example.com
+include "/etc/named/keys/update.key";
 ```
 
-For more details, please check our sample script: [dns_myapi.sh](dns_myapi.sh)
+Next, configure your zone to allow dynamic updates.
+Depending on your named version, use either
+```
+zone "example.com" {
+    type master;
+    allow-update { key "update"; };
+};
+```
+or
+```
+zone "example.com" {
+    type master;
+    update-policy {
+        grant update subdomain example.com.;
+    };
+}
+```
+Finally, make the dns server and update key available to `acme.sh`
+```
+export NSUPDATE_SERVER=dns.example.com
+export NSUPDATE_KEY=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
+```
 
-# Use lexicon dns api
+Ok, let's issue cert now:
+```
+acme.sh   --issue   --dns dns_nsupdate   -d example.com  -d www.example.com
+```
 
-https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
+The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf`.
 
-## Use LuaDNS domain API
+## 8. Use LuaDNS domain API
 
 Get your API token at https://api.luadns.com/settings
 
@@ -154,7 +184,7 @@ acme.sh   --issue   --dns dns_lua --dnssleep 3  -d example.com  -d www.example.c
 
 The `LUA_Key` and `LUA_Email`  will be saved in `~/.acme.sh/account.conf`, and will be reused when needed.
 
-## Use DNSMadeEasy domain API
+## 9. Use DNSMadeEasy domain API
 
 Get your API credentials at https://cp.dnsmadeeasy.com/account/info
 
@@ -172,5 +202,27 @@ acme.sh   --issue   --dns dns_me --dnssleep 3  -d example.com  -d www.example.co
 
 The `ME_Key` and `ME_Secret`  will be saved in `~/.acme.sh/account.conf`, and will be reused when needed.
 
+# 10. Use custom api
+
+If your api is not supported yet,  you can write your own dns api.
+
+Let's assume you want to name it 'myapi',
+
+1. Create a bash script named  `~/.acme.sh/dns_myapi.sh`,
+2. In the script, you must have a function named `dns_myapi_add()`. Which will be called by acme.sh to add dns records.
+3. Then you can use your api to issue cert like:
+
+```
+acme.sh  --issue  --dns  dns_myapi  -d example.com  -d www.example.com
+```
+
+For more details, please check our sample script: [dns_myapi.sh](dns_myapi.sh)
+
+# 11. Use lexicon dns api
+
+https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
+
+
+
 
 

dnsapi/dns_nsupdate.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env sh
+
+
+########  Public functions #####################
+
+#Usage: dns_nsupdate_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_nsupdate_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  # save the dns server and key to the account conf file.
+  _saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
+  _saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
+  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update add ${fulldomain}. 60 in txt "${txtvalue}"
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+  
+  return 0
+}
+
+#Usage: dns_nsupdate_rm   _acme-challenge.www.domain.com
+dns_nsupdate_rm() {
+  fulldomain=$1
+  _checkKeyFile || return 1
+  [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
+  _info "removing ${fulldomain}. txt"
+  nsupdate -k "${NSUPDATE_KEY}" <<EOF
+server ${NSUPDATE_SERVER}
+update delete ${fulldomain}. txt
+send
+EOF
+  if [ $? -ne 0 ]; then
+    _err "error updating domain"
+    return 1
+  fi
+
+  return 0
+}
+
+
+####################  Private functions bellow ##################################
+
+_checkKeyFile() {
+  if [ -z "${NSUPDATE_KEY}" ]; then
+    _err "you must specify a path to the nsupdate key file"
+    return 1
+  fi
+  if [ ! -r "${NSUPDATE_KEY}" ]; then
+    _err "key ${NSUPDATE_KEY} is unreadable"
+    return 1
+  fi
+}