[FEATURE] Add desec.io as a dns provider for Let's encrypt

[darkknight7777777]

What's needed and why?

Add desec.io as a dns provider for let's encrypt wildcard certificates. https://desec.readthedocs.io/en/latest/integrations/lets-encrypt.html#certbot-with-desec-plugin

Implementations ideas (optional)

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hey @darkknight7777777, thanks for bringing this up! Looks like we overlooked this plugin. We’ve been using this list as a reference: https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins. Appreciate the heads-up!

[TheophileDiot]

I just added the new DNS provider to the dev branch. Feel free to test it using the dev tag and let me know if it works for you! Appreciate your feedback. 😄

[darkknight7777777]

Wow, I wasn't expecting anyone to get to this so soon!

I'm not sure if I'm putting in the info incorrectly since this is my first attempt at dns challenge in bunkerweb, but I get this notice in scheduler log. I assume the 2nd message is because the variable is being ignored, but thought I'd include it for info.

[2025-02-17 15:31:39 -0500] [GENERATOR.SAVE_CONFIG] [931] [⚠️ ] - Ignoring variable LETS_ENCRYPT_DNS_PROVIDER : value desec doesn't match regex ^(cloudflare|digitalocean|dnsimple|dnsmadeeasy|gehirn|google|linode|luadns|nsone|ovh|rfc2136|route53|sakuracloud|scaleway)?$ - value = 'desec'
[2025-02-17 15:31:45 -0500] [LETS-ENCRYPT.NEW] [871] [⚠️ ] - No provider found for service bwtest.tld (available providers : cloudflare, desec, digitalocean, dnsimple, dnsmadeeasy, gehirn, google, linode, luadns, nsone, ovh, rfc2136, route53, sakuracloud, scaleway), skipping certificate(s) generation...

LE variables:
AUTO_LETS_ENCRYPT=yes
LETS_ENCRYPT_CHALLENGE=dns
EMAIL_LETS_ENCRYPT=bwtest@tld
LETS_ENCRYPT_DNS_PROVIDER=desec
LETS_ENCRYPT_DNS_PROPAGATION=90
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM=dns_desec_token = 1234
USE_LETS_ENCRYPT_WILDCARD=yes
USE_LETS_ENCRYPT_STAGING=yes

I checked the UI just to see if I could try it that way, but desec doesn't show in the list of dns providers there either.

I'd be more than happy to provide any further info needed.

[TheophileDiot]

Hi @darkknight7777777, you'll have to pull the dev tag again I think for the changes to take effect locally for you 😄

[darkknight7777777]

that was on a fresh install with the dev tag. Just to verify, I wiped the server and started from scratch again, I'm still getting the same messages.

[TheophileDiot]

Ho I see ! I must have missed something then, I’ll let you know when I’ll have a look at it tomorrow 😁

[fl0ppy-d1sk]

that was on a fresh install with the dev tag. Just to verify, I wiped the server and started from scratch again, I'm still getting the same messages.

Just to be sure, did you wipe the whole server (host / VM) or only the container ?

[TheophileDiot]

I confirm that indeed there was a mistake in my end, I edited the job code but not the actual setting in the plugin.json file 😄

[TheophileDiot]

At least I got the chance to discover deSEC which I didn't know existed, it's now fixed in the dev branch !

[darkknight7777777]

those messages are gone, now I'm getting the following about the token being invalid.

[2025-02-19 18:35:37 +0000] [LETS-ENCRYPT.NEW.CERTBOT] [54] [ℹ️ ] - Encountered exception during recovery: certbot.errors.PluginError: Could not authenticate against deSEC API: b'{"detail":"Invalid token."}' [2025-02-19 18:35:37 +0000] [LETS-ENCRYPT.NEW.CERTBOT] [54] [ℹ️ ] - Could not authenticate against deSEC API: b'{"detail":"Invalid token."}'

I created a couple new tokens as I figured it was something on my end, deleting the old containers and volumes each time.

I noticed the following in the ui

It appears to be duplicating the token at least as far as the ui is concerned.

here's what I'm using for the credential variable:
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM: "dns_desec_token = 1234"

[TheophileDiot]

Hi, indeed there was an issue in the web UI with the wizard, it has been fixed. Thank you for reporting it ! 😄

[darkknight7777777]

I was finally able to get this working after I figured out the correct syntax

LETS_ENCRYPT_DNS_CREDENTIAL_ITEM: 'token = 1234'

ui is still duplicating token in the wizard FYI, but if you remove 2nd one, it works.

[TheophileDiot]

Hi, this may be a mistake in your env. I tested it with several variables and it worked alright 😅