letsencrypt: Update Alpine, Python and Certbot (home-assistant#3325)

letsencrypt/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 5.0.0
+
+- Upgrade to Certbot 2.7.4 & all DNS authenticator plug-ins
+- Drop CloudXNS (removed in Certbot upstream)
+- Update to Python 3.11
+- Update to Alpine 3.18
+- Add GANDI DNS propagation delay setting
+
 ## 4.12.9
 
 - Add Google Domains DNS challenge support

letsencrypt/DOCS.md

@@ -50,8 +50,6 @@ azure_config: ''
 cloudflare_email: ''
 cloudflare_api_key: ''
 cloudflare_api_token: ''
-cloudxns_api_key: ''
-cloudxns_secret_key: ''
 digitalocean_token: ''
 directadmin_url: ''
 directadmin_username: ''
@@ -525,7 +523,6 @@ You can in addition find the files via the "samba" addon within the "ssl" share.
 ```txt
 dns-azure
 dns-cloudflare
-dns-cloudxns
 dns-digitalocean
 dns-directadmin
 dns-dnsimple

letsencrypt/Dockerfile

@@ -8,13 +8,13 @@ ARG \
     CERTBOT_VERSION \
     CERTBOT_DNS_AZURE_VERSION \
     CERTBOT_DNS_DIRECTADMIN_VERSION \
-    CERTBOT_DNS_HETZNER_VERSION \
     CERTBOT_DNS_GOOGLE_DOMAINS_VERSION \
+    CERTBOT_DNS_HETZNER_VERSION \
+    CERTBOT_DNS_INWX_VERSION \
+    CERTBOT_DNS_TRANSIP_VERSION \
     CERTBOT_NETCUP_VERSION \
     CERTBOT_NJALLA_VERSION \
     CERTBOT_GANDI_VERSION \
-    CERTBOT_DNS_TRANSIP_VERSION \
-    CERTBOT_DNS_INWX_VERSION \
     ACME_VERSION
 
 RUN \
@@ -35,7 +35,6 @@ RUN \
         certbot==${CERTBOT_VERSION} \
         certbot-dns-azure==${CERTBOT_DNS_AZURE_VERSION} \
         certbot-dns-cloudflare==${CERTBOT_VERSION} \
-        certbot-dns-cloudxns==${CERTBOT_VERSION} \
         certbot-dns-digitalocean==${CERTBOT_VERSION} \
         certbot-dns-directadmin==${CERTBOT_DNS_DIRECTADMIN_VERSION} \
         certbot-dns-dnsimple==${CERTBOT_VERSION} \

letsencrypt/build.yaml

@@ -1,23 +1,23 @@
 ---
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.9-alpine3.14
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.9-alpine3.14
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.9-alpine3.14
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.9-alpine3.14
-  i386: ghcr.io/home-assistant/i386-base-python:3.9-alpine3.14
+  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.11-alpine3.18
+  amd64: ghcr.io/home-assistant/amd64-base-python:3.11-alpine3.18
+  armhf: ghcr.io/home-assistant/armhf-base-python:3.11-alpine3.18
+  armv7: ghcr.io/home-assistant/armv7-base-python:3.11-alpine3.18
+  i386: ghcr.io/home-assistant/i386-base-python:3.11-alpine3.18
 codenotary:
   signer: [email protected]
   base_image: [email protected]
 args:
-  CRYPTOGRAPHY_VERSION: 36.0.2
-  CERTBOT_DNS_AZURE_VERSION: 1.5.0
-  CERTBOT_DNS_DIRECTADMIN_VERSION: 0.0.24
-  CERTBOT_DNS_HETZNER_VERSION: 1.0.5
+  CRYPTOGRAPHY_VERSION: 41.0.5
+  CERTBOT_DNS_AZURE_VERSION: 2.4.0
+  CERTBOT_DNS_DIRECTADMIN_VERSION: 1.0.3
+  CERTBOT_DNS_HETZNER_VERSION: 2.0.0
+  CERTBOT_DNS_INWX_VERSION: 2.2.0
   CERTBOT_DNS_GOOGLE_DOMAINS_VERSION: 0.1.11
-  CERTBOT_DNS_TRANSIP_VERSION: 0.4.3
-  CERTBOT_GANDI_VERSION: 1.3.2
-  CERTBOT_NETCUP_VERSION: 1.1.1
+  CERTBOT_DNS_TRANSIP_VERSION: 0.5.2
+  CERTBOT_GANDI_VERSION: 1.5.0
+  CERTBOT_NETCUP_VERSION: 1.4.3
   CERTBOT_NJALLA_VERSION: 1.0.0
-  CERTBOT_VERSION: 1.32.0
-  CERTBOT_DNS_INWX_VERSION: 2.2.0
-  ACME_VERSION: 1.32.0
+  CERTBOT_VERSION: 2.7.4
+  ACME_VERSION: 2.7.4

letsencrypt/config.yaml

@@ -1,5 +1,5 @@
 ---
-version: 4.12.9
+version: 5.0.0
 slug: letsencrypt
 name: Let's Encrypt
 description: Manage certificate from Let's Encrypt
@@ -42,8 +42,6 @@ schema:
     cloudflare_api_key: str?
     cloudflare_api_token: str?
     cloudflare_email: email?
-    cloudxns_api_key: str?
-    cloudxns_secret_key: str?
     digitalocean_token: str?
     directadmin_password: str?
     directadmin_url: str?
@@ -73,7 +71,7 @@ schema:
     ovh_consumer_key: str?
     ovh_endpoint: str?
     propagation_seconds: int(60,3600)?
-    provider: "list(dns-azure|dns-cloudflare|dns-cloudxns|dns-digitalocean|\
+    provider: "list(dns-azure|dns-cloudflare|dns-digitalocean|\
       dns-directadmin|dns-dnsimple|dns-dnsmadeeasy|dns-gehirn|\
       dns-google|dns-google-domains|\
       dns-hetzner|dns-linode|dns-luadns|dns-njalla|dns-nsone|dns-ovh|\

letsencrypt/rootfs/etc/cont-init.d/file-structure.sh

@@ -6,12 +6,10 @@ mkdir -p /data/workdir
 mkdir -p /data/letsencrypt
 
 # Setup Let's encrypt config
-echo -e "dns_cloudxns_api_key = $(bashio::config 'dns.cloudxns_api_key')\n" \
-      "dns_cloudxns_secret_key = $(bashio::config 'dns.cloudxns_secret_key')\n" \
-      "dns_digitalocean_token = $(bashio::config 'dns.digitalocean_token')\n" \
-      "certbot_dns_directadmin:directadmin_url = $(bashio::config 'dns.directadmin_url')\n" \
-      "certbot_dns_directadmin:directadmin_username = $(bashio::config 'dns.directadmin_username')\n" \
-      "certbot_dns_directadmin:directadmin_password = $(bashio::config 'dns.directadmin_password')\n" \
+echo -e "dns_digitalocean_token = $(bashio::config 'dns.digitalocean_token')\n" \
+      "directadmin_url = $(bashio::config 'dns.directadmin_url')\n" \
+      "directadmin_username = $(bashio::config 'dns.directadmin_username')\n" \
+      "directadmin_password = $(bashio::config 'dns.directadmin_password')\n" \
       "dns_dnsimple_token = $(bashio::config 'dns.dnsimple_token')\n" \
       "dns_dnsmadeeasy_api_key = $(bashio::config 'dns.dnsmadeeasy_api_key')\n" \
       "dns_dnsmadeeasy_secret_key = $(bashio::config 'dns.dnsmadeeasy_secret_key')\n" \
@@ -22,10 +20,10 @@ echo -e "dns_cloudxns_api_key = $(bashio::config 'dns.cloudxns_api_key')\n" \
       "dns_linode_version = $(bashio::config 'dns.linode_version')\n" \
       "dns_luadns_email = $(bashio::config 'dns.luadns_email')\n" \
       "dns_luadns_token = $(bashio::config 'dns.luadns_token')\n" \
-      "certbot_dns_netcup:dns_netcup_customer_id = $(bashio::config 'dns.netcup_customer_id')\n" \
-      "certbot_dns_netcup:dns_netcup_api_key = $(bashio::config 'dns.netcup_api_key')\n" \
-      "certbot_dns_netcup:dns_netcup_api_password = $(bashio::config 'dns.netcup_api_password')\n" \
-      "certbot_dns_njalla:dns_njalla_token = $(bashio::config 'dns.njalla_token')\n" \
+      "dns_netcup_customer_id = $(bashio::config 'dns.netcup_customer_id')\n" \
+      "dns_netcup_api_key = $(bashio::config 'dns.netcup_api_key')\n" \
+      "dns_netcup_api_password = $(bashio::config 'dns.netcup_api_password')\n" \
+      "dns_njalla_token = $(bashio::config 'dns.njalla_token')\n" \
       "dns_nsone_api_key = $(bashio::config 'dns.nsone_api_key')\n" \
       "dns_ovh_endpoint = $(bashio::config 'dns.ovh_endpoint')\n" \
       "dns_ovh_application_key = $(bashio::config 'dns.ovh_application_key')\n" \
@@ -40,9 +38,9 @@ echo -e "dns_cloudxns_api_key = $(bashio::config 'dns.cloudxns_api_key')\n" \
       "aws_secret_access_key = $(bashio::config 'dns.aws_secret_access_key')\n" \
       "dns_sakuracloud_api_token = $(bashio::config 'dns.sakuracloud_api_token')\n" \
       "dns_sakuracloud_api_secret = $(bashio::config 'dns.sakuracloud_api_secret')\n" \
-      "certbot_plugin_gandi:dns_api_key = $(bashio::config 'dns.gandi_api_key')\n" \
-      "certbot_dns_transip:dns_transip_username = $(bashio::config 'dns.transip_username')\n" \
-      "certbot_dns_transip:dns_transip_key_file = /data/transip-rsa.key\n" \
+      "dns_gandi_api_key = $(bashio::config 'dns.gandi_api_key')\n" \
+      "dns_transip_username = $(bashio::config 'dns.transip_username')\n" \
+      "dns_transip_key_file = /data/transip-rsa.key\n" \
       "dns_inwx_url = https://api.domrobot.com/xmlrpc/\n" \
       "dns_inwx_username = $(bashio::config 'dns.inwx_username')\n" \
       "dns_inwx_password = $(bashio::config 'dns.inwx_password')\n" \
@@ -61,3 +59,11 @@ if bashio::config.exists 'dns.transip_api_key'; then
       echo "${TRANSIP_API_KEY}" | openssl rsa -out /data/transip-rsa.key
       chmod 600 /data/transip-rsa.key
 fi
+
+# Cleanup removed add-on options
+if bashio::config.exists 'dns.cloudxns_api_key'; then
+      bashio::addon.option 'dns.cloudxns_api_key'
+fi
+if bashio::config.exists 'dns.cloudxns_secret_key'; then
+      bashio::addon.option 'dns.cloudxns_secret_key'
+fi

letsencrypt/rootfs/etc/services.d/lets-encrypt/run

@@ -29,15 +29,19 @@ else
 fi
 
 # AWS
-if bashio::config.exists 'dns.aws_access_key_id' && bashio::config.exists 'dns.aws_secret_access_key'; then
+if [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-route53" ]; then
+    bashio::config.require 'dns.aws_access_key_id'
+    bashio::config.require 'dns.aws_secret_access_key'
+
     AWS_ACCESS_KEY_ID="$(bashio::config 'dns.aws_access_key_id')"
     AWS_SECRET_ACCESS_KEY="$(bashio::config 'dns.aws_secret_access_key')"
 
     export AWS_ACCESS_KEY_ID
     export AWS_SECRET_ACCESS_KEY
     PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}")
 #Google
-elif bashio::config.exists 'dns.google_creds'; then
+elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-google" ]; then
+    bashio::config.require 'dns.google_creds'
     GOOGLE_CREDS="$(bashio::config 'dns.google_creds')"
 
     export GOOGLE_CREDS
@@ -53,8 +57,11 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-google-domains"
     bashio::config.require 'dns.google_domains_access_token'
     PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 #Netcup
-elif bashio::config.exists 'dns.netcup_customer_id' && bashio::config.exists 'dns.netcup_api_key' && bashio::config.exists 'dns.netcup_api_password'; then
-    PROVIDER_ARGUMENTS+=("--authenticator" "certbot-dns-netcup:dns-netcup" "--certbot-dns-netcup:dns-netcup-credentials" /data/dnsapikey "--certbot-dns-netcup:dns-netcup-propagation-seconds" "${PROPAGATION_SECONDS}")
+elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-netcup" ]; then
+    bashio::config.require 'dns.netcup_customer_id'
+    bashio::config.require 'dns.netcup_api_key'
+    bashio::config.require 'dns.netcup_api_password'
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 #TransIP
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-transip" ]; then
@@ -64,49 +71,49 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-transip" ]; then
         bashio::log.info "Increasing DNS propagation limit for TransIP to at least 240 seconds."
         PROPAGATION_SECONDS=240
     fi
-    PROVIDER_ARGUMENTS+=("--authenticator" "certbot-${DNS_PROVIDER}:${DNS_PROVIDER}" "--certbot-${DNS_PROVIDER}:${DNS_PROVIDER}-credentials" /data/dnsapikey "--certbot-${DNS_PROVIDER}:${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # CloudFlare
 elif [ "${DNS_PROVIDER}" == "dns-cloudflare" ]; then
     if bashio::config.exists 'dns.cloudflare_api_token'; then
         bashio::log.info "Use CloudFlare token"
-        echo "dns_cloudflare_api_token = $(bashio::config 'dns.cloudflare_api_token')" >> /data/dnsapikey
+        echo "dns_cloudflare_api_token = $(bashio::config 'dns.cloudflare_api_token')" >> "/data/dnsapikey"
     else
         bashio::log.warning "Use CloudFlare global key (not recommended!)"
         echo -e "dns_cloudflare_email = $(bashio::config 'dns.cloudflare_email')\n" \
-            "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" >> /data/dnsapikey
+            "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" >> "/data/dnsapikey"
     fi
 
-    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey "--dns-cloudflare-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--dns-cloudflare-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # DirectAdmin
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-directadmin" ]; then
     bashio::config.require 'dns.directadmin_url'
     bashio::config.require 'dns.directadmin_username'
     bashio::config.require 'dns.directadmin_password'
-    PROVIDER_ARGUMENTS+=("--authenticator" "certbot-dns-directadmin:directadmin" "--certbot-dns-directadmin:directadmin-credentials" /data/dnsapikey "--certbot-dns-directadmin:directadmin-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # Gandi
 elif [ "${DNS_PROVIDER}" == "dns-gandi" ]; then
     if bashio::config.exists 'dns.gandi_sharing_id'; then
         bashio::log.info "Use Gandi sharing ID"
-        echo "certbot_plugin_gandi:dns_sharing_id = $(bashio::config 'dns.gandi_sharing_id')" >> /data/dnsapikey
+        echo "dns_gandi_sharing_id = $(bashio::config 'dns.gandi_sharing_id')" >> "/data/dnsapikey"
     fi
-    PROVIDER_ARGUMENTS+=("--authenticator" "certbot-plugin-gandi:dns" "--certbot-plugin-gandi:dns-credentials" /data/dnsapikey)
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}" )
 
 # Hetzner
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-hetzner" ]; then
     bashio::config.require 'dns.hetzner_api_token'
-    PROVIDER_ARGUMENTS+=("--authenticator" "dns-hetzner" "--dns-hetzner-credentials" /data/dnsapikey "--dns-hetzner-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "dns-hetzner" "--dns-hetzner-credentials" "/data/dnsapikey" "--dns-hetzner-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # Njalla
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-njalla" ]; then
     bashio::config.require 'dns.njalla_token'
-    PROVIDER_ARGUMENTS+=("--authenticator" "certbot-dns-njalla:dns-njalla" "--certbot-dns-njalla:dns-njalla-credentials" /data/dnsapikey "--certbot-dns-njalla:dns-njalla-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # rfc2136
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-rfc2136" ]; then
-    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey "--dns-rfc2136-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--dns-rfc2136-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # Azure
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-azure" ]; then
@@ -131,7 +138,7 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-inwx" ]; then
 
 #All others
 else
-    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey)
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey")
 fi
 
 if bashio::config.has_value 'acme_server' ; then