Support for Strato Let'e Encrypt DNS challenge

[psychofaktory]

What provider would you like to see added to NPM?
Strato

Have you checked if a certbot plugin exists?
I found this here:
https://github.com/Buxdehuda/strato-certbot

[chaptergy]

Unfortunately the current version of NPM only supports DNS-challenge providers which have a certbot dns plugin. The link you posted is only a manual auth hook certbot integration, which is not supported. And it seems there currently is no actual certbot dns plugin.

[psychofaktory]

For others with the same problem:

Not a certbot dns plugin, but I've got it managed to get a wildcart cert with the workaround mentioned here:

1. Setup proxy host in NPM (Nginx Proxy Manager) for both domain and wildcard subdomain

2. Setup SSL certificate for just the domain (wildcard input is currently not possible).

Up until here you should have SSL working for the domain, but not the subdomains.

3. In my case NginxProxyManager is a Docker-Container running on Unraid, so /config ist mounted to /mnt/user/appdata/NginxProxyManager

4. Copy auth-hook.py to /config/letsencrypt/renewal-hooks/deploy/

5. Make auth-hook.py executable:
   chmod a+x /config/letsencrypt/renewal-hooks/deploy/auth-hook.py

6. Create strato-auth.json in /config/letsencrypt/renewal-hooks/deploy/
   {
"username": "<username>",
"password": "<password>"
}

7. Replace with open("strato-auth.json") as file: in /config/letsencrypt/renewal-hooks/deploy/auth-hook.py with with open ("/config/letsencrypt/renewal-hooks/deploy/strato-auth.json") as file:

8. Change permissions:
   chmod 0400 /config/letsencrypt/renewal-hooks/deploy/strato-auth.json

9. Modify /config/letsencrypt/renewal/npm-.conf and update the section [renewalparams]:
   authenticator = manual
manual_public_ip_logging_ok = True
manual_auth_hook = /config/letsencrypt/renewal-hooks/deploy/auth-hook.py

10. Extend the certificate (replace <domain>):
    certbot certonly --manual --cert-name npm-5 --expand -d <domain>,*.<domain> --manual-auth-hook=/config/letse ncrypt/renewal-hooks/deploy/auth-hook.py

Now the cert setup in step 2. contains an wildcard-alias an can be assigned to the wildcard subdomain from step 1.

I hope this help some.

[BeSve]

10. Extend the certificate (replace <domain>):
    certbot certonly --manual --cert-name npm-5 --expand -d <domain>,*.<domain> --manual-auth-hook=/config/letse ncrypt/renewal-hooks/deploy/auth-hook.py

Thanks for your how to.
Will this automaticly update the certificate every 90 days or have I do this manualy?
Or is there a way to execute the command mentioned under 10 every n days?

Thanks a lot.

[psychofaktory]

Will this automaticly update the certificate every 90 days or have I do this manualy?

When the SSL certificate is created in step 2, NPP automatically creates a job that regularly renews the certificate.

[Substanzlos]

Hi, some things i have noticed.

(All files mentioned come from here: https://github.com/Buxdehuda/strato-certbot)

• First of, it look's like the auth-hook.py hast changed, point 7. isn't requiered anymore, with open has been removed/replaced.
• There is a new include, so you will need the file certbotstratoapi.py
• you need to install the requirements listed under requirements.txt

Okay, after this, your workaround works, but i get this error message, even so the certificate generation works:

After issuing point 8. of the workaround i get this output.

[...]
Renewing an existing certificate for abc.xyz and *abc.xyz

Hook 'deploy-hook' reported error code 1
Hook 'deploy-hook' ran with error output:
Traceback (most recent call last):
File "/etc/letsencrypt/renewal-hooks/deploy/auth-hook.py", line 42, in
main()
File "/etc/letsencrypt/renewal-hooks/deploy/auth-hook.py", line 25, in main
strato = CertbotStratoApi()
File "/etc/letsencrypt/renewal-hooks/deploy/certbotstratoapi.py", line 17, in init
self.txt_value = os.environ['CERTBOT_VALIDATION']
File "/usr/lib/python3.7/os.py", line 678, in getitem
raise KeyError(key) from None
KeyError: 'CERTBOT_VALIDATION'

Successfully received certificate.
[...]

Any ideas?

[FlixMa]

I modified the code from the aforementioned repository to provide a regular certbot dns authentication plugin, which can be directly integrated into NPM (see here).

If you would like to give it a try, follow these instructions.
The dns plugin configuration in globals/certbot-dns-plugins.js should be adjusted to include the service for Strato:

.
.
.
    //####################################################//
    strato: {
        display_name:        'Strato',
        package_name:        'certbot-dns-strato',
        version_requirement: '~=0.1.1',
        dependencies:        '',
        credentials:         `dns_strato_username = user
dns_strato_password = pass
# uncomment if domain name contains special characters
# insert domain display name as seen on your account page here
# dns_strato_domain_display_name = my-punicode-url.de`,
        full_plugin_name:    'dns-strato',
    },
.
.
.

I was successful using option 2 mentioned in the linked comment.
An exemplary docker-compose.yml could be:

version: '3'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: always
    ports:
      - '80:80'
      - '1080:81'
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      # map custom code into the container to support strato dns
      - ./custom-npm/global/certbot-dns-plugins.js:/app/global/certbot-dns-plugins.js:ro
      - ./custom-npm/frontend/dist:/app/frontend:ro
      
networks:
  default:
    external: true
    name: nginx-proxy-manager

Note that the code is still in an experimental stage.

[Substanzlos]

Nice work. :)

Where do i need to place the files from your repository?

[FlixMa]

Nice work. :)

Where do i need to place the files from your repository?

Thank you :-)

You don't need to touch my repository -- it is just a place for the plugin to live. The code is uploaded to PyPi so it is available from anywhere where there is python pip installed. Thus npm can grab it by itself. You just need to introduce this plugin to npm by inserting the given configuration snippet posted above and then building the npm frontend from this repository.

Once that's done, you can use the build directory and mount it into your docker container at the specific location where the prebuilt frontend was living (you basically shadow it with the new version).

Then you're good to go. In fact I have this setup up and running since my post without any issues :-)

So what you need to do:

1. clone this repository (nginx-proxy-manager, not my plugin)
2. edit globals/certbot-dns-plugins.js as shown above.
3. rebuild the npm frontend using the provided build script: sudo ./scripts/frontend-build
4. mount the new version into your container using the docker-compose.yml as shown above (make sure to adjust the paths to point your local custom build. In my case it's located in ./custom-npm/)

(-: Hope this helps

[Substanzlos]

Thank you. :)

You Pull requests got answered: #2929 (comment)

I've tested the docker image, works like a charm!

Thank you so much for your work!

[Yoshi315161]

Hi guys,

i postet this also in the Pull Request but dont know if anyone sees this there:

i read this and wanted to try it out but i think i dont get it...
how and what for things do i have to put in the challange textfield?

also my strato is locked with 2fa
is there an example file i can use?

sorry but i dont understand the things under user and pass...
and for the SSL Domain i need "*.DOMAIN.COM"? or without the * for wildcard?

this is the example:
dns_strato_username = user
dns_strato_password = pass
'# uncomment if domain name contains special characters
'# insert domain display name as seen on your account page here
'# dns_strato_domain_display_name = my-punicode-url.de

and now how to fill it?

the last two i dont understand...
do i have to remove the # and fill in something?
if i do i get an error....

i testet with:
'*.DOMAIN.com

dns_strato_username = NUMBERS
dns_strato_password = PASSWORD
dns_strato_totp_secret = BUNCH OF NUMBERS AND CARACTERS
dns_strato_totp_devicename = NAME OF TOTP
'# uncomment if domain name contains special characters <-- Leav this as it was
'# DOMAIN.COM
'# dns_strato_domain_display_name = *.DOMAIN.COM

pls help or point me a good example from someone who got it to work. it would be easier then the normal challenge then there are at time internal errors -,- (new request worked...)

thank you so much...

EDIT: have to put ' infront of # to avoid funky things...

[FlixMa]

sorry but i dont understand the things under user and pass... and for the SSL Domain i need "*.DOMAIN.COM"? or without the * for wildcard?

In the topmost field of the basic certificate settings it should say *.domain.com (the CN, the certificate is issued for).
In the custom configuration for strato dns you only need to add your domain name, if it has special characters in it (aka punycode). If that's the case you need to enter the name in the exact same spelling as it appears on your strato domain configuration overview page (on strato.de it's called "Paketübersicht"). In my case it shows without the asterisk. Otherwise, so if you do not provide the dns_strato_domain_display_name, it is inferred from your CN.

I guess you already tried both variants, rights? If that's the case, I might have spotted an error with TFA.
It might be a problem in the code of my python certbot plugin, where the credentials setup function does not include the totp keys.

Since I did not configure it yet (shame on me), this didn't come to light.
Your configuration looks correct:

dns_strato_totp_secret = BUNCH OF NUMBERS AND CARACTERS
dns_strato_totp_devicename = NAME OF TOTP

Please try as I explained, if you did not already do so and report back. Then I will proceed to making the adjustments in code.
Cheers

[Yoshi315161]

hi ho and thx for the answer,

ok then i think its easier to work with pictures...

i testet a lot, but i always get an Error so hier my config (as i understand from your text):

and this is the error i get:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-30" --agree-tos --email "jxxxxxxxxxx.com" --domains "*.hxxxxxxxxxx.com" --authenticator dns-strato --dns-strato-credentials "/etc/letsencrypt/credentials/credentials-30" Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

`at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)`

Do i have to put something in Strato first? i own the domain but is something to do for the wildcard *.hxxxxxxx.com SSL Cert?

Thank you for your help :)