# certbot-dns-f5xc
A Certbot DNS plugin for F5 Distributed Cloud (F5XC) that allows you to obtain and renew Let's Encrypt certificates using DNS-01 challenges.
## Overview
This plugin enables automatic SSL/TLS certificate management through Let's Encrypt using DNS-01 challenges with F5 Distributed Cloud DNS services. It's particularly useful for wildcard certificates and domains that can't be validated through HTTP-01 challenges.
## Features
- **DNS-01 Challenge Support**: Automates Let's Encrypt DNS-01 challenges using F5XC DNS API
- **Multi-Domain Support**: Handle multiple domains and subdomains with a single configuration
- **Dynamic DNS Zone Detection**: Automatically extracts DNS zones from domain names
- **Flexible Authentication**: Supports both certificate-based authentication (recommended) and API token authentication
- **Resource Record Set (RRSet) Management**: Properly manages DNS records within F5XC's RRSet structure
- **Automatic Cleanup**: Removes TXT records after certificate validation
## Installation
### From Source
```bash
git clone https://github.com/fadlytabrani/certbot-dns-f5xc.git
cd certbot-dns-f5xc
pip install -e .
```
### Using pip
```bash
pip install certbot-dns-f5xc
```
## Configuration
**Authentication Priority**: When both certificate and API token credentials are provided, the plugin automatically uses certificate authentication and ignores the API token.
### Certificate-based Authentication (Recommended)
Create a configuration file at `~/.config/certbot/f5xc.ini`:
```ini
# F5XC DNS plugin configuration
dns_f5xc_tenant = your-tenant-id
dns_f5xc_certificate_path = /path/to/your/certificate.p12
dns_f5xc_certificate_password = your-certificate-password
dns_f5xc_propagation_seconds = 60 # Optional - DNS propagation delay in seconds
```
### API Token Authentication (Deprecated)
```ini
# F5XC DNS plugin configuration
dns_f5xc_api_token = your-api-token
dns_f5xc_propagation_seconds = 60 # Optional - DNS propagation delay in seconds
```
#### Configuration Options
- **`dns_f5xc_tenant`** (required for certificate auth): Your F5XC tenant ID
- **`dns_f5xc_certificate_path`** (required for certificate auth): Path to your P12 certificate file
- **`dns_f5xc_certificate_password`** (required for certificate auth): Password for the P12 certificate
- **`dns_f5xc_api_token`** (required for token auth): F5XC API token (deprecated)
- **`dns_f5xc_propagation_seconds`** (optional): DNS propagation delay in seconds (default: 60)
- **`dns_f5xc_rrset_identifier`** (optional): Custom identifier for RRSet naming (default: auto-detected machine hostname)
#### Authentication Priority
**Important**: The plugin uses a priority-based authentication system:
1. **Certificate Authentication (Priority 1)**: If `certificate_path`, `certificate_password`, and `tenant` are all provided, the plugin will use certificate authentication and **ignore any API token**.
2. **API Token Authentication (Priority 2)**: Only if certificate credentials are missing or incomplete will the plugin fall back to API token authentication.
**Example**: If you provide both certificate and API token credentials, the plugin will use certificate authentication and silently ignore the API token.
**Recommendation**: Use certificate authentication for production environments as it's more secure and provides better access control.
## Dynamic DNS Zone Detection
The plugin automatically extracts the DNS zone from domain names, making it perfect for multi-domain setups:
- **`example.com`** → Zone: `example.com`
- **`api.example.com`** → Zone: `example.com`
- **`sub.api.example.com`** → Zone: `example.com`
- **`www.example.com`** → Zone: `example.com`
## Resource Record Set (RRSet) Management
The plugin uses F5XC's Resource Record Set (RRSet) approach for DNS management:
- **Creates machine-specific "certbot-{identifier}" RRSets** for managing ACME challenge records
- **Configurable RRSet identifiers** via `dns_f5xc_rrset_identifier` in your INI file
- **Automatic machine identification** when no custom identifier is specified
- **Properly structures TXT records** within the RRSet for public DNS publishing
- **Ensures DNS propagation** by using F5XC's recommended API patterns
- **Automatic cleanup** of challenge records and empty RRSets after validation
### RRSet Naming Strategy
The plugin automatically creates machine-specific RRSets to prevent conflicts:
- **Default behavior**: Uses sanitized hostname (e.g., `certbot-ft-mbp1-local`)
- **Custom identifier**: Set `dns_f5xc_rrset_identifier = your_custom_name` in your INI file
- **F5XC compliance**: All names automatically follow RFC 1035 naming rules
- **Multi-device support**: Each device gets its own isolated RRSet
## Usage
### Basic Certificate Request
```bash
certbot certonly \
--authenticator dns-f5xc \
--dns-f5xc-credentials ~/.config/certbot/f5xc.ini \
--dns-f5xc-propagation-seconds 60 \
-d example.com \
-d *.example.com
```
### Wildcard Certificate
```bash
certbot certonly \
--authenticator dns-f5xc \
--dns-f5xc-credentials ~/.config/certbot/f5xc.ini \
-d *.example.com
```
### Certificate Renewal
```bash
certbot renew --authenticator dns-f5xc
```
## Development
### Setup Development Environment
```bash
git clone https://github.com/fadlytabrani/certbot-dns-f5xc.git
cd certbot-dns-f5xc
pip install -e ".[dev]"
```
### Running Tests
```bash
pytest
```
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
## License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
## Support
If you encounter any issues or have questions, please:
- Open an issue on GitHub
## Acknowledgments
This plugin follows Certbot's standard DNS authenticator patterns for consistency and reliability.
Raw data
{
"_id": null,
"home_page": "https://github.com/fadlytabrani/certbot-dns-f5xc",
"name": "certbot-dns-f5xc",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "Fadly Tabrani <fadly.tabrani@gmail.com>",
"keywords": "certbot, dns, f5xc, lets-encrypt, ssl, certificate",
"author": "Fadly Tabrani",
"author_email": "Fadly Tabrani <fadly.tabrani@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/eb/40/dffe44e25bd5c75033934e6688a268696839ec4dbcf1ab75d0aa43690d1d/certbot_dns_f5xc-1.0.0.tar.gz",
"platform": null,
"description": "# certbot-dns-f5xc\n\nA Certbot DNS plugin for F5 Distributed Cloud (F5XC) that allows you to obtain and renew Let's Encrypt certificates using DNS-01 challenges.\n\n## Overview\n\nThis plugin enables automatic SSL/TLS certificate management through Let's Encrypt using DNS-01 challenges with F5 Distributed Cloud DNS services. It's particularly useful for wildcard certificates and domains that can't be validated through HTTP-01 challenges.\n\n## Features\n\n- **DNS-01 Challenge Support**: Automates Let's Encrypt DNS-01 challenges using F5XC DNS API\n- **Multi-Domain Support**: Handle multiple domains and subdomains with a single configuration\n- **Dynamic DNS Zone Detection**: Automatically extracts DNS zones from domain names\n- **Flexible Authentication**: Supports both certificate-based authentication (recommended) and API token authentication\n- **Resource Record Set (RRSet) Management**: Properly manages DNS records within F5XC's RRSet structure\n- **Automatic Cleanup**: Removes TXT records after certificate validation\n\n## Installation\n\n### From Source\n\n```bash\ngit clone https://github.com/fadlytabrani/certbot-dns-f5xc.git\ncd certbot-dns-f5xc\npip install -e .\n```\n\n### Using pip\n\n```bash\npip install certbot-dns-f5xc\n```\n\n## Configuration\n\n**Authentication Priority**: When both certificate and API token credentials are provided, the plugin automatically uses certificate authentication and ignores the API token.\n\n### Certificate-based Authentication (Recommended)\n\nCreate a configuration file at `~/.config/certbot/f5xc.ini`:\n\n```ini\n# F5XC DNS plugin configuration\ndns_f5xc_tenant = your-tenant-id\ndns_f5xc_certificate_path = /path/to/your/certificate.p12\ndns_f5xc_certificate_password = your-certificate-password\ndns_f5xc_propagation_seconds = 60 # Optional - DNS propagation delay in seconds\n```\n\n### API Token Authentication (Deprecated)\n\n```ini\n# F5XC DNS plugin configuration\ndns_f5xc_api_token = your-api-token\ndns_f5xc_propagation_seconds = 60 # Optional - DNS propagation delay in seconds\n```\n\n#### Configuration Options\n\n- **`dns_f5xc_tenant`** (required for certificate auth): Your F5XC tenant ID\n- **`dns_f5xc_certificate_path`** (required for certificate auth): Path to your P12 certificate file\n- **`dns_f5xc_certificate_password`** (required for certificate auth): Password for the P12 certificate\n- **`dns_f5xc_api_token`** (required for token auth): F5XC API token (deprecated)\n- **`dns_f5xc_propagation_seconds`** (optional): DNS propagation delay in seconds (default: 60)\n- **`dns_f5xc_rrset_identifier`** (optional): Custom identifier for RRSet naming (default: auto-detected machine hostname)\n\n#### Authentication Priority\n\n**Important**: The plugin uses a priority-based authentication system:\n\n1. **Certificate Authentication (Priority 1)**: If `certificate_path`, `certificate_password`, and `tenant` are all provided, the plugin will use certificate authentication and **ignore any API token**.\n\n2. **API Token Authentication (Priority 2)**: Only if certificate credentials are missing or incomplete will the plugin fall back to API token authentication.\n\n**Example**: If you provide both certificate and API token credentials, the plugin will use certificate authentication and silently ignore the API token.\n\n**Recommendation**: Use certificate authentication for production environments as it's more secure and provides better access control.\n\n## Dynamic DNS Zone Detection\n\nThe plugin automatically extracts the DNS zone from domain names, making it perfect for multi-domain setups:\n\n- **`example.com`** \u2192 Zone: `example.com`\n- **`api.example.com`** \u2192 Zone: `example.com`\n- **`sub.api.example.com`** \u2192 Zone: `example.com`\n- **`www.example.com`** \u2192 Zone: `example.com`\n\n## Resource Record Set (RRSet) Management\n\nThe plugin uses F5XC's Resource Record Set (RRSet) approach for DNS management:\n\n- **Creates machine-specific \"certbot-{identifier}\" RRSets** for managing ACME challenge records\n- **Configurable RRSet identifiers** via `dns_f5xc_rrset_identifier` in your INI file\n- **Automatic machine identification** when no custom identifier is specified\n- **Properly structures TXT records** within the RRSet for public DNS publishing\n- **Ensures DNS propagation** by using F5XC's recommended API patterns\n- **Automatic cleanup** of challenge records and empty RRSets after validation\n\n### RRSet Naming Strategy\n\nThe plugin automatically creates machine-specific RRSets to prevent conflicts:\n\n- **Default behavior**: Uses sanitized hostname (e.g., `certbot-ft-mbp1-local`)\n- **Custom identifier**: Set `dns_f5xc_rrset_identifier = your_custom_name` in your INI file\n- **F5XC compliance**: All names automatically follow RFC 1035 naming rules\n- **Multi-device support**: Each device gets its own isolated RRSet\n\n## Usage\n\n### Basic Certificate Request\n\n```bash\ncertbot certonly \\\n --authenticator dns-f5xc \\\n --dns-f5xc-credentials ~/.config/certbot/f5xc.ini \\\n --dns-f5xc-propagation-seconds 60 \\\n -d example.com \\\n -d *.example.com\n```\n\n### Wildcard Certificate\n\n```bash\ncertbot certonly \\\n --authenticator dns-f5xc \\\n --dns-f5xc-credentials ~/.config/certbot/f5xc.ini \\\n -d *.example.com\n```\n\n### Certificate Renewal\n\n```bash\ncertbot renew --authenticator dns-f5xc\n```\n\n## Development\n\n### Setup Development Environment\n\n```bash\ngit clone https://github.com/fadlytabrani/certbot-dns-f5xc.git\ncd certbot-dns-f5xc\npip install -e \".[dev]\"\n```\n\n### Running Tests\n\n```bash\npytest\n```\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n## License\n\nThis project is licensed under the Apache License 2.0 - see the LICENSE file for details.\n\n## Support\n\nIf you encounter any issues or have questions, please:\n\n- Open an issue on GitHub\n\n## Acknowledgments\n\nThis plugin follows Certbot's standard DNS authenticator patterns for consistency and reliability.\n",
"bugtrack_url": null,
"license": "Apache License 2.0",
"summary": "F5 Distributed Cloud (F5XC) DNS Authenticator plugin for Certbot",
"version": "1.0.0",
"project_urls": {
"Changelog": "https://github.com/fadlytabrani/certbot-dns-f5xc/releases",
"Documentation": "https://github.com/fadlytabrani/certbot-dns-f5xc#readme",
"Homepage": "https://github.com/fadlytabrani/certbot-dns-f5xc",
"Issues": "https://github.com/fadlytabrani/certbot-dns-f5xc/issues",
"Repository": "https://github.com/fadlytabrani/certbot-dns-f5xc"
},
"split_keywords": [
"certbot",
" dns",
" f5xc",
" lets-encrypt",
" ssl",
" certificate"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "716af15d688506798dbc3ad26cdeb0e8fbf21e0f4f8a89c9bd64a94a35361c5b",
"md5": "d91744afa8ce8bc5ae449999f07b5849",
"sha256": "b78ae5536456fb05ec22ee7c7c77b6d09801c7458936545b2ba83e4a8dfbb3f4"
},
"downloads": -1,
"filename": "certbot_dns_f5xc-1.0.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "d91744afa8ce8bc5ae449999f07b5849",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": ">=3.6",
"size": 14447,
"upload_time": "2025-08-22T12:29:29",
"upload_time_iso_8601": "2025-08-22T12:29:29.600469Z",
"url": "https://files.pythonhosted.org/packages/71/6a/f15d688506798dbc3ad26cdeb0e8fbf21e0f4f8a89c9bd64a94a35361c5b/certbot_dns_f5xc-1.0.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "eb40dffe44e25bd5c75033934e6688a268696839ec4dbcf1ab75d0aa43690d1d",
"md5": "f1f582d563c1afecfa8add9d73e769fa",
"sha256": "bcc17f818b7a1c1bfc66acdde76e8731a7ca85d9e77eb9123254c44c15ca911b"
},
"downloads": -1,
"filename": "certbot_dns_f5xc-1.0.0.tar.gz",
"has_sig": false,
"md5_digest": "f1f582d563c1afecfa8add9d73e769fa",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 20814,
"upload_time": "2025-08-22T12:29:32",
"upload_time_iso_8601": "2025-08-22T12:29:32.028941Z",
"url": "https://files.pythonhosted.org/packages/eb/40/dffe44e25bd5c75033934e6688a268696839ec4dbcf1ab75d0aa43690d1d/certbot_dns_f5xc-1.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-22 12:29:32",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "fadlytabrani",
"github_project": "certbot-dns-f5xc",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "requests",
"specs": [
[
">=",
"2.25.0"
]
]
},
{
"name": "cryptography",
"specs": [
[
">=",
"3.4.0"
]
]
},
{
"name": "setuptools",
"specs": [
[
">=",
"39.0.1"
]
]
}
],
"lcname": "certbot-dns-f5xc"
}
JSON
