letsencrypt: add additional arguments to certbot

home-assistant · Feb 22, 2025 · 9990fc1 · 9990fc1
1 parent bb850f1
commit 9990fc1
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 0 deletions.
diff --git a/letsencrypt/CHANGELOG.md b/letsencrypt/CHANGELOG.md
@@ -6,6 +6,7 @@
 - Refactor configuration and align with documentation
 - Refactor scripts
 - Switch gandi-dns to a maintained version (certbot-plugin-gandi-modern)
+- Add additional arguments to certbot (dry-run, test-cert, verbose)
 
 ## 5.3.3
 

diff --git a/letsencrypt/config.yaml b/letsencrypt/config.yaml
@@ -40,6 +40,9 @@ schema:
   eab_hmac_key: str?
   key_type: list(ecdsa|rsa)?
   elliptic_curve: list(secp256r1|secp384r1)?
+  dry_run: bool?
+  test_cert: bool?
+  verbose: bool?
   dns:
     # Developer note: please add a new plugin alphabetically into all lists
     aws_access_key_id: str?

diff --git a/letsencrypt/rootfs/etc/services.d/lets-encrypt/run b/letsencrypt/rootfs/etc/services.d/lets-encrypt/run
@@ -21,6 +21,9 @@ ACME_SERVER=$(bashio::config 'acme_server')
 ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert')
 EAB_KID=$(bashio::config 'eab_kid')
 EAB_HMAC_KEY=$(bashio::config 'eab_hmac_key')
+DRY_RUN=$(bashio::config 'dry_run')
+TEST_CERT=$(bashio::config 'test_cert')
+VERBOSE=$(bashio::config 'verbose')
 
 if [ "${CHALLENGE}" == "dns" ]; then
     bashio::log.info "Selected DNS Provider: ${DNS_PROVIDER}"
@@ -346,11 +349,24 @@ if bashio::config.has_value 'eab_kid' ; then
     EAB_ARGUMENTS+=("--eab-kid" "${EAB_KID}" "--eab-hmac-key" "${EAB_HMAC_KEY}")
 fi
 
+# Define additional arguments based on configuration
+ADDITIONAL_ARGS=()
+if [ "${DRY_RUN}" = "true" ]; then
+    ADDITIONAL_ARGS+=("--dry-run")
+fi
+if [ "${TEST_CERT}" = "true" ]; then
+    ADDITIONAL_ARGS+=("--test-cert")
+fi
+if [ "${VERBOSE}" = "true" ]; then
+    ADDITIONAL_ARGS+=("-vvv")
+fi
+
 # Generate a new certificate if necessary or expand a previous certificate if domains has changed
 if [ "$CHALLENGE" == "dns" ]; then
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
         "${KEY_ARGUMENTS[@]}" \
+        "${ADDITIONAL_ARGS[@]}" \
         --cert-name "${DOMAIN_ARR[1]}" "${DOMAIN_ARR[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${PROVIDER_ARGUMENTS[@]}" \
@@ -360,6 +376,7 @@ else
     certbot certonly --non-interactive --keep-until-expiring --expand \
         --email "$EMAIL" --agree-tos \
         "${KEY_ARGUMENTS[@]}" \
+        "${ADDITIONAL_ARGS[@]}" \
         --cert-name "${DOMAIN_ARR[1]}" "${DOMAIN_ARR[@]}" \
         --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
         --preferred-challenges "$CHALLENGE" "${ACME_CUSTOM_SERVER_ARGUMENTS[@]}" --standalone \

diff --git a/letsencrypt/translations/en.yaml b/letsencrypt/translations/en.yaml
@@ -42,5 +42,17 @@ configuration:
     description: >-
       Elliptic curve for ECDSA keys. This option must be used with Key Type
       set to ECDSA. If unset the Certbot default will be used.
+  dry_run:
+    name: Dry Run
+    description: >-
+      Do a certbot dry-run for requesting the certificates.
+  test_cert:
+    name: Issue test certificates
+    description: >-
+      Obtain a test certificate from a staging server.
+  verbose:
+    name: Verbose Mode
+    description: >-
+      Run certbot in verbose mode.
 network:
   80/tcp: Only needed for http challenge