Using certbot DNS authorization with multiple API accounts?

Question

I'm using EFF certbot ACME client to generate a single TLS certificates on my webserver that is hosting multiple domains using Subject Alternative Names (SAN). Up until now all of the domains where hosted in a specific Digital Ocean team, and I have certbot configured with the Digital Ocean DNS plugin and a personal access token created for that team to generate a certificate with multiple domains (including wildcard domains).

Now a client wants me to also serve a domain that they want to retain full control of, so we created a new Digital Ocean team and my account where the DO personal access token was created has been given access to. Unfortunately, I also found out that personal access token are created for a team and cannot be used with another team.

I looked through the certbot docs but could not find how to configure different DO credentials for different domains for the same SAN certificate - is this even possible?

If not - what other alternatives would you suggest to implement this use case?

Answer 1

This is apparently not supported by any built-in authenticator plugins, but can be solved by using a "manual hook" to script the challenges and there for choose for each domain being verified, the best method to generate the verification token.

I've written a manual hook script that supports verifying domains in multiple Digital Ocean teams/users, assuming you have a personal access token for each. The script is available here: https://gist.github.com/guss77/01f095623a1d2fd00869784554d3e1a5.

To use it, make sure you have the Digital Ocean CLI doctl tool installed somewhere (and configure it in the script) and also set up your personal access tokens in the script (the script also needs dig and a few common POSIX shell tools that I expect to find everywhere, though may not work well outside Linux).

Then instead of using one of the --dns* plugins, use:

--preferred-challenges=dns --manual \
--manual-auth-hook /path/to/certbot-hook.sh \
--manual-cleanup-hook /path/to/certbot-hook.sh

When trying to authenticate, certbot will call this script to create the DNS records for each domain to be verified - for which the script will use the doctl tool, after scanning the list of domains available using each personal access token and choosing the correct "zone" in which to create the record.

I sometimes have issues with this approach, though, specifically around the DNS propagation time - certbot supports custom DNS propagation wait timeouts for DNS plugins but not for manual mode and there is no good way to mimic it otherwise.

Answer 2

I believe you can do this by simply specifying different configuration files.

As per the certbot-dns-digitalocean plugin documentation the credentials are provided in an ini file:

--dns-digitalocean-credentials DigitalOcean credentials INI file. (Required)

With the ini file containing something like:

dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

If you were to create different such files for your different credentials, you could make the plugin use different credentials by specifying these different files.

Ie, something like

certbot certonly \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean-foo.ini \
  -d domain1.example

and

certbot certonly \
  --dns-digitalocean \
  --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean-bar.ini \
  -d domain2.example

would use the credentials from two separate files.