feat(edge): opt-in Hetzner Cloud DNS-01 challenge method for certbot#20
Merged
Conversation
The existing dns-hetzner method uses the certbot-dns-hetzner plugin, which talks to the deprecated standalone dns.hetzner.com API and now fails with "token invalid (unauthorized)" because the account uses the Hetzner Cloud API (api.hetzner.cloud/v1) for DNS. This blocks wildcard cert issuance (e.g. *.apps.0mcp.com). Add a new opt-in public_edge_acme_challenge_method=dns-hetzner-cloud that drives DNS-01 via certbot --manual hooks against the Cloud API, mirroring the rrset shape already used by the hetzner_dns_records role. The hook is stdlib-only Python; it appends (not overwrites) TXT values so SAN certs with both apex and wildcard challenges at the same _acme-challenge name coexist, and cleans up idempotently. Existing webroot and dns-hetzner behavior is unchanged (additive, inert until explicitly enabled). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the wildcard-cert issuance failure for
*.apps.0mcp.com(and any future wildcard SAN). The existingdns-hetznerchallenge method uses thecertbot-dns-hetznerplugin, which talks to the deprecated standalonedns.hetzner.comAPI and now fails withthe token you have provided is invalid (unauthorized)— the account uses the Hetzner Cloud API (api.hetzner.cloud/v1) for DNS.This adds a new opt-in
public_edge_acme_challenge_method: dns-hetzner-cloudthat drives DNS-01 through certbot--manualhooks against the Cloud API, mirroring the rrset shape already used by thehetzner_dns_recordsrole.What's included
files/hetzner_cloud_acme_hook.py— self-contained, stdlib-only certbot auth/cleanup hook. Resolves the longest-suffix zone, computes the zone-relative_acme-challengename, and appends (not overwrites) TXT values so apex + wildcard challenges at the same name coexist. Cleanup is idempotent.tasks/main.yml— three new guarded tasks (hook dir, hook copy, credential file + assert) and a three-way method branch in both certbotcertonlyargv/environment blocks.defaults/main.yml+meta/argument_specs.yml— three new vars and thedns-hetzner-cloudchoice.README.md— short usage note.Safety
webrootanddns-hetznerrender byte-identically (verified by Jinja render of all branches). Nothing changes unlesspublic_edge_acme_challenge_methodis explicitly set todns-hetzner-cloud.HETZNER_DNS_API_TOKEN(Cloud API token) the platform already uses forhetzner_dns_records.Test plan
py_compilepass; hook unit-tested against a mocked Cloud API (append / dedupe / partial-cleanup / delete-on-empty / idempotent-cleanup / longest-suffix-zone / relative-name).Known follow-up
idif the Cloud API returns one, else falls back to<name>/<type>. The sibling role uses an opaqueprovider_refloaded from its own inventory; if the live rrset reference differs, only the update/delete addressing needs a one-line tweak. Create/append (the wildcard path) follows the sibling role's confirmed shape exactly.