Let's Encrypt manual certificate with preferred-challenge over DNS

Question

I'm trying to generate a letsencrypt certificate for a machine I don't have direct access to (beyond uploading the SSL certificates). I've downloaded the latest CLI (certbot) and discovered a flag --preferred-challenge which seems to allow for DNS host verification rather than the standard HTTP verification.

When I run the following:

./certbot-auto certonly --manual --preferred-challenge dns --domains domain_to_secure.com

I get the following message:

Self verification requires optional dependency dnspython to be installed.

It's easy enough to find the dnspython package on the net, but how do I get certbot to recognize it as a plugin package?

Answer 1

As certbot-auto runs and does all its initial setup, you'll see after the system packages installation a couple lines like:

Creating virtual environment...
Installing Python packages...

That's your hint. certbot-auto is a polite Python citizen and uses a virtualenv. Finding it may be awkward but the location appears fairly standard. Running as root with release v0.9.3, the virtualenv was here for Arch, Centos7 and Ubuntu 16.04: /root/.local/share/letsencrypt/. Now that we know that, we can use the virtualenv's pip to install the dependency.

$ /root/.local/share/letsencrypt/bin/pip install dnspython

---

Bonus if you really want to confirm, mimic certbot's code:

$ /root/.local/share/letsencrypt/bin/python
>>> from acme import util
>>> import acme.dns_resolver
>>> util.activate(acme.dns_resolver.DNS_REQUIREMENT)