Custom script
Perform validation challenge with your own script
| Plugin type | Validation | |
|---|---|---|
| Download | Built-in | |
| Compatibility | All platforms |
Description
Run an external script or program to prepare for the validation challenge. Use this option to create TXT records at DNS providers that are not supported by native plugins (yet?) or to handle HTTP challenges in unconventional ways (e.g. calling into some API, starting a custom web server, etc.)
General
A preparation script is always required to prepare for the challenge answer. Providing a cleanup script to undo any changes made by the former is optional. You may also point to a single script to handle both tasks using different arguments.
Challenge type selection
For backwards compatibility, the script default to handling DNS challenges. To switch to HTTP challenges, you must provide the argument --validationmode http-01 in unattended mode. In interactive mode this will simply be question asked during the setup process.
Argument customization
The plugin has some hard-coded default argument templates which can be overruled according to your needs and preferences. Depending on the chosen challenge type, simple-acme will replace certain pre-defined tokens in the argument template to derive the actual arguments that will be passed to the script, thus enabling dynamic arguments to be passed. For example if your script handles DNS challenges and needs arguments like: ‑‑host _acme-challenge.example.com ‑‑token DGyRejmCefe7v4NfDGDKfA then the argument template provided to simple-acme should look like this: ‑‑host {RecordName} ‑‑token {Token}
DNS challenge arguments
For DNS challenges following replacements are made to the arguments:
| Value | Replaced with |
|---|---|
{Identifier} | Host name that's being validated, e.g. sub.example.com |
{RecordName} | Full name of the TXT record that will be queried, e.g. _acme-challenge.sub.example.com |
{ZoneName} | Registerable domain, e.g. example.com |
{NodeName} | Relative record name, e.g. _acme-challenge.sub |
{Token} | Content of the TXT record, e.g. DGyRejmCefe7v4NfDGDKfA |
{vault://json/mysecret} | Secret from the secret vault |
Default for preparation: create {Identifier} {RecordName} {Token}
Default for cleanup: delete {Identifier} {RecordName} {Token}
HTTP challenge arguments
For HTTP challenges following replacements are made to the arguments:
| Value | Replaced with |
|---|---|
{Identifier} | Identifier that is being validated, e.g. sub.example.com |
{Path} | Relative URI that will be requested (e.g. /.well-known/acme-challenge/2fsdf2) |
{FileName} | Name of the file that will be requested, e.g. 2fsdf2 |
{Token} | Expected response content |
{vault://json/mysecret} | Secret from the secret vault |
Default for preparation: prepare {Identifier} {Path} {Token}
Default for cleanup: cleanup {Identifier} {Path} {Token}
Parallelism
You can use ‑‑validationscriptparallelism to specify if your script supports parallelism. You may use the following values:
| Value | Meaning |
|---|---|
0 | Serial, default serial behaviour |
1 | Allow multiple validations to be prepared at the same time. Only do this when you are sure multiple instances of "prepare" running at the same time will not interfere with eachother. Typically difficult to achieve and therefor not recommended. |
2 | Allow multiple validations to run at the same time. This is possible in theory with every method, but you must be sure that your script is non-destructive, e.g. it should not overwrite pre-existing records or files, nor delete more than what is specifically asked for |
3 | Combination of 1 and 2 |
This only has any effect when DisableParallelism is set to false
Reference scripts
Some reference scripts are available on GitHub, including ones for EasyDNS, ZoneEdit, deSEC and Windows DNS.
External resources
A lot of good reference scripts are available from the POSH-ACME project. Note that these scripts are not compatible with simple-acme. You will have to make changes (e.g. in terms of accepted parameters and such) in order to use them.
Command line
--validation script |
Activates the plugin | |
|---|---|---|
‑‑validationscript |
Path to script that handles both preparation and cleanup, depending on its parameters. If this parameter is provided then ‑‑ValidationPrepareScript and ‑‑ValidationCleanupScript are ignored. | |
‑‑validationpreparescript |
Script that prepares to handle the validation challenge. | |
‑‑validationpreparescriptarguments |
Arguments passed to the preparation script. If not specified these will be "create {Identifier} {RecordName} {Token}" for DNS challenges or "prepare {Identifier} {Path} {Token}" for HTTP challenges. | |
‑‑validationcleanupscript |
Script that cleans up after validation has completed. | |
‑‑validationcleanupscriptarguments |
Arguments passed to the cleanup script. If not specified these will be "delete {Identifier} {RecordName} {Token}" for DNS challenges or "cleanup {Identifier} {Path} {Token}" for HTTP challenges. | |
‑‑validationscriptparallelism |
Configure parallelism mode. 0 is fully serial (default), 1 allows multiple preparations to run simultaneously, 2 allows multiple validations to run simultaneously and 3 is a combination of both forms of parallelism. | |
‑‑validationmode |
Specify which validation mode to use. HTTP-01 is the default. |
Examples
| Prepare script only | --validation script ‑‑validationpreparescript c:\create.ps1 [‑‑validationpreparescriptarguments {args}] |
|
|---|---|---|
| Separate prepare and cleanup scripts | --validation script ‑‑validationpreparescript c:\create.ps1 ‑‑validationcleanupscript c:\delete.ps1 [‑‑validationpreparescriptarguments {args}] [‑‑validationcleanupscriptarguments {args}] |
|
| Combined script | --validation script ‑‑validationscript c:\create-and-delete.ps1 [‑‑validationpreparescriptarguments {args}] [‑‑validationcleanupscriptarguments {args}] |
JSON
| ID | 8f1da72e-f727-49f0-8546-ef69e5ecec32 |
|---|
Arguments
‑‑validationmode |
Specify which validation mode to use. HTTP-01 is the default. |
|---|
Settings
Script.PowershellExecutablePath |
Customize this value to use a different version of Powershell to execute .ps1 scripts. E.g. C:\\Program Files\\PowerShell\\6.0.0\\pwsh.exe for Powershell Core 6.
Paths should be JSON-encoded, e.g. Default: "powershell.exe"
|
|
|---|---|---|
Script.Timeout |
Time in seconds to allow installation, executing and validation scripts to run before terminating them forcefully.
Type: number Default: 600
|
|
Validation.DisableMultiThreading |
Disable multithreading features for validation. Inceases runtime but may help to fix bugs caused by race conditions.
Type: boolean Default: true
|
Looking for win-acme?
simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.