letsencrypt: Update certbot and dns plugins (#3902)

* letsencrypt: update certbot and dns plugins * fixes CVE-2024-12797 * letsencrypt: Update remaining dns challenges with DNS_PROVIDER placeholder * letsencrypt: Remove verbose flag from INWX command line * letsencrypt: Update INWX API URL * letsencrypt: disabled dns-mijn-host and dns-websupport * plugins are currently outdated and/or unmaintained * add breaking_versions to config.yaml Co-authored-by: Stefan Agner <stefan@agner.ch> Signed-off-by: Goetz Goerisch <47734341+GoetzGoerisch@users.noreply.github.com> * letsencrypt: update to Python 3.13 and Alpine 3.21 Signed-off-by: Goetz Goerisch <47734341+GoetzGoerisch@users.noreply.github.com> * letsencrypt: fix cmd inconsistency for dns-infomaniak --------- Signed-off-by: Goetz Goerisch <47734341+GoetzGoerisch@users.noreply.github.com> Co-authored-by: Stefan Agner <stefan@agner.ch>
home-assistant · Feb 14, 2025 · 72f0b7f · 72f0b7f
1 parent e316767
commit 72f0b7f
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 34 deletions.
diff --git a/letsencrypt/CHANGELOG.md b/letsencrypt/CHANGELOG.md
@@ -1,5 +1,28 @@
 # Changelog
 
+## 5.3.0
+
+- Disabled certbot-dns-mijn-host (Breaking change)
+  - issue: [mijnhost/certbot-dns-mijn-host#8](https://github.com/mijnhost/certbot-dns-mijn-host/issues/8)
+- Disabled certbot-dns-websupport (Breaking change)
+  - issue: [johnybx/certbot-dns-websupport#1](https://github.com/johnybx/certbot-dns-websupport/issues/1)
+- Update to Python 3.13
+- Update to Alpine 3.21
+- Update certbot to 3.1.0
+- Update acme to 3.1.0
+- Update cryptography to 44.0.1
+- Update certbot-dns-azure to 2.6.1
+- Update certbot-dns-directadmin to 10.0.13
+- Update certbot-dns-duckdns to 1.5
+- Update certbot-dns-dynu to 0.0.6
+- Update certbot-dns-inwx to 3.0.1
+- Update certbot-dns-ionos to 2024.11.9
+- Update certbot-dns-norisnetwork to 0.3.0
+- Update certbot-dns-porkbun to 0.9.1
+- Update certbot-dns-netcup to 1.4.4
+- Update certbot-dns-njalla to 2.0.2
+- Update the remaining dns challenges with DNS_PROVIDER placeholder
+
 ## 5.2.12
 
 - Add rfc2136_sign_query parameter to config.yaml

diff --git a/letsencrypt/DOCS.md b/letsencrypt/DOCS.md
@@ -61,7 +61,7 @@ dns-joker
 dns-linode
 dns-loopia
 dns-luadns
-dns-mijn-host
+dns-mijn-host (currently disable - see changelog)
 dns-njalla
 dns-noris
 dns-simply
@@ -78,7 +78,7 @@ dns-inwx
 dns-porkbun
 dns-easydns
 dns-domainoffensive
-dns-websupport
+dns-websupport (currently disable - see changelog)
 ```
 </details>
 
@@ -978,7 +978,7 @@ dns:
 
 <details>
 
-  <summary>WebSupport</summary>
+  <summary>WebSupport (currently disable - see changelog)</summary>
 
 An identifier and secret key have to be obtained to use this module (see https://admin.websupport.sk/sk/auth/apiKey).
 
@@ -1088,7 +1088,7 @@ The API key assigned to your Simply.com account can be found in your Simply.com
 
 
 <details>
-  <summary>mijn.host DNS challenge</summary>
+  <summary>mijn.host DNS challenge (currently disable - see changelog)</summary>
 
   ```yaml
   email: your.email@example.com
@@ -1138,7 +1138,7 @@ dns-ionos
 dns-linode
 dns-loopia
 dns-luadns
-dns-mijn-host
+dns-mijn-host (currently disable - see changelog)
 dns-njalla
 dns-noris
 dns-plesk
@@ -1156,7 +1156,7 @@ dns-inwx
 dns-porkbun
 dns-easydns
 dns-domainoffensive
-dns-websupport
+dns-websupport (currently disable - see changelog)
 ```
 
 ## Support

diff --git a/letsencrypt/Dockerfile b/letsencrypt/Dockerfile
@@ -74,7 +74,8 @@ RUN \
         certbot-dns-linode==${CERTBOT_VERSION} \
         certbot-dns-loopia==${CERTBOT_DNS_LOOPIA_VERSION} \
         certbot-dns-luadns==${CERTBOT_VERSION} \
-        certbot-dns-mijn-host==${CERTBOT_DNS_MIJN_HOST_VERSION} \
+        # Disabled due to unresolved issues
+        # certbot-dns-mijn-host==${CERTBOT_DNS_MIJN_HOST_VERSION} \
         certbot-dns-njalla==${CERTBOT_NJALLA_VERSION} \
         certbot-dns-norisnetwork==${CERTBOT_DNS_NORISNETWORK_VERSION} \
         certbot-dns-nsone==${CERTBOT_VERSION} \
@@ -93,7 +94,8 @@ RUN \
         certbot-dns-hurricane-electric==${CERTBOT_DNS_HURRICANE_ELECTRIC_VERSION} \
         certbot-dns-easydns==${CERTBOT_DNS_EASYDNS_VERSION} \
         certbot-dns-domainoffensive==${CERTBOT_DNS_DOMAINOFFENSIVE_VERSION} \
-        certbot-dns-websupport==${CERTBOT_DNS_WEBSUPPORT_VERSION} \
+        # Disabled due to unresolved issues
+        # certbot-dns-websupport==${CERTBOT_DNS_WEBSUPPORT_VERSION} \
         certbot-dns-plesk==${CERTBOT_DNS_PLESK_VERSION} \
         acme==${ACME_VERSION} \
     && apk del .build-dependencies

diff --git a/letsencrypt/build.yaml b/letsencrypt/build.yaml
@@ -1,43 +1,43 @@
 ---
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.12-alpine3.20
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.12-alpine3.20
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.12-alpine3.20
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.12-alpine3.20
-  i386: ghcr.io/home-assistant/i386-base-python:3.12-alpine3.20
+  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.21
+  amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.21
+  armhf: ghcr.io/home-assistant/armhf-base-python:3.13-alpine3.21
+  armv7: ghcr.io/home-assistant/armv7-base-python:3.13-alpine3.21
+  i386: ghcr.io/home-assistant/i386-base-python:3.13-alpine3.21
 codenotary:
   signer: notary@home-assistant.io
   base_image: notary@home-assistant.io
 args:
   CLOUDFLARE_VERSION: 2.19.4
-  CRYPTOGRAPHY_VERSION: 42.0.8
-  CERTBOT_VERSION: 2.11.0
-  CERTBOT_DNS_AZURE_VERSION: 2.5.0
+  CRYPTOGRAPHY_VERSION: 44.0.1
+  CERTBOT_VERSION: 3.1.0
+  CERTBOT_DNS_AZURE_VERSION: 2.6.1
   CERTBOT_DNS_CLOUDNS_VERSION: 0.7.0
   CERTBOT_DNS_DESEC_VERSION: 1.2.1
-  CERTBOT_DNS_DIRECTADMIN_VERSION: 1.0.12
-  CERTBOT_DNS_DUCKDNS_VERSION: 1.3
-  CERTBOT_DNS_DYNU_VERSION: 0.0.5
+  CERTBOT_DNS_DIRECTADMIN_VERSION: 1.0.13
+  CERTBOT_DNS_DUCKDNS_VERSION: 1.5
+  CERTBOT_DNS_DYNU_VERSION: 0.0.6
   CERTBOT_DNS_EASYDNS_VERSION: 0.1.4
   CERTBOT_DNS_HURRICANE_ELECTRIC_VERSION: 0.1.0
   CERTBOT_DNS_HETZNER_VERSION: 2.0.1
   CERTBOT_DNS_INFOMANIAK_VERSION: 0.2.3
-  CERTBOT_DNS_INWX_VERSION: 2.2.0
-  CERTBOT_DNS_IONOS_VERSION: 2024.1.8
+  CERTBOT_DNS_INWX_VERSION: 3.0.1
+  CERTBOT_DNS_IONOS_VERSION: 2024.11.9
   CERTBOT_DNS_JOKER_VERSION: 1.1.0
   CERTBOT_DNS_LOOPIA_VERSION: 1.0.1
   CERTBOT_DNS_MIJN_HOST_VERSION: 0.0.5
   CERTBOT_DNS_NAMECHEAP_VERSION: 1.0.0
-  CERTBOT_DNS_NORISNETWORK_VERSION: 0.2.1
+  CERTBOT_DNS_NORISNETWORK_VERSION: 0.3.0
   CERTBOT_DNS_TRANSIP_VERSION: 0.5.2
-  CERTBOT_DNS_PORKBUN_VERSION: 0.8.0
+  CERTBOT_DNS_PORKBUN_VERSION: 0.9.1
   CERTBOT_DNS_WEBSUPPORT_VERSION: 2.0.1
   CERTBOT_DNS_SIMPLY_VERSION: 0.1.2
   CERTBOT_GANDI_VERSION: 1.5.0
-  CERTBOT_NETCUP_VERSION: 1.4.3
-  CERTBOT_NJALLA_VERSION: 1.0.0
+  CERTBOT_NETCUP_VERSION: 1.4.4
+  CERTBOT_NJALLA_VERSION: 2.0.2
   CERTBOT_DNS_DREAMHOST_VERSION: 1.0
   CERTBOT_DNS_DOMAINOFFENSIVE_VERSION: 2.0.0
   CERTBOT_DNS_PLESK_VERSION: 0.3.0
   CERTBOT_DNS_GODADDY_VERSION: 2.8.0
-  ACME_VERSION: 2.11.0
+  ACME_VERSION: 3.1.0
diff --git a/letsencrypt/config.yaml b/letsencrypt/config.yaml
@@ -1,5 +1,6 @@
 ---
-version: 5.2.12
+version: 5.3.0
+breaking_versions: [5.3.0]
 slug: letsencrypt
 name: Let's Encrypt
 description: Manage certificate from Let's Encrypt

diff --git a/letsencrypt/rootfs/etc/cont-init.d/file-structure.sh b/letsencrypt/rootfs/etc/cont-init.d/file-structure.sh
@@ -68,7 +68,7 @@ echo -e "dns_desec_token = $(bashio::config 'dns.desec_token')\n" \
       "dns_transip_username = $(bashio::config 'dns.transip_username')\n" \
       "dns_transip_global_key = $(bashio::config 'dns.transip_global_key')\n" \
       "dns_transip_key_file = /data/transip-rsa.key\n" \
-      "dns_inwx_url = https://api.domrobot.com/xmlrpc/\n" \
+      "dns_inwx_url = https://api.domrobot.com\n" \
       "dns_inwx_username = $(bashio::config 'dns.inwx_username')\n" \
       "dns_inwx_password = $(bashio::config 'dns.inwx_password')\n" \
       "dns_inwx_shared_secret = $(bashio::config 'dns.inwx_shared_secret')\n" \

diff --git a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
@@ -103,7 +103,7 @@ elif [ "${DNS_PROVIDER}" == "dns-cloudflare" ]; then
             "dns_cloudflare_api_key = $(bashio::config 'dns.cloudflare_api_key')\n" >> "/data/dnsapikey"
     fi
 
-    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--dns-cloudflare-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # DigitalOcean
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-digitalocean" ]; then
@@ -152,12 +152,12 @@ elif [ "${DNS_PROVIDER}" == "dns-godaddy" ]; then
 # Hetzner
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-hetzner" ]; then
     bashio::config.require 'dns.hetzner_api_token'
-    PROVIDER_ARGUMENTS+=("--authenticator" "dns-hetzner" "--dns-hetzner-credentials" "/data/dnsapikey" "--dns-hetzner-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # Infomaniak
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-infomaniak" ]; then
     bashio::config.require 'dns.infomaniak_api_token'
-    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" /data/dnsapikey "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # IONOS
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-ionos" ]; then
@@ -200,7 +200,7 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-njalla" ]; then
 
 # rfc2136
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-rfc2136" ]; then
-    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--dns-rfc2136-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 # Azure
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-azure" ]; then
@@ -221,7 +221,7 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-inwx" ]; then
     bashio::config.require 'dns.inwx_username'
     bashio::config.require 'dns.inwx_password'
     bashio::config.require 'dns.inwx_shared_secret'
-    PROVIDER_ARGUMENTS+=("-v" "--authenticator" "${DNS_PROVIDER}" "--dns-inwx-credentials" "/data/dnsapikey" "--dns-inwx-propagation-seconds" "${PROPAGATION_SECONDS}")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey" "--${DNS_PROVIDER}-propagation-seconds" "${PROPAGATION_SECONDS}")
 
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-desec" ]; then
     bashio::config.require 'dns.desec_token'
@@ -242,7 +242,7 @@ elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-cloudns" ]; then
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-dreamhost" ]; then
     bashio::config.require 'dns.dreamhost_baseurl'
     bashio::config.require 'dns.dreamhost_api_key'
-    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--dns-dreamhost-credentials" "/data/dnsapikey")
+    PROVIDER_ARGUMENTS+=("--authenticator" "${DNS_PROVIDER}" "--${DNS_PROVIDER}-credentials" "/data/dnsapikey")
 
 # Hurricane Electric
 elif [ "${CHALLENGE}" == "dns" ] && [ "${DNS_PROVIDER}" == "dns-he" ]; then