{"id":13557564,"url":"https://github.com/adferrand/dnsrobocert","last_synced_at":"2026-04-28T10:01:11.590Z","repository":{"id":38272077,"uuid":"94475570","full_name":"adferrand/dnsrobocert","owner":"adferrand","description":"Orchestrate Certbot and Lexicon together to provide Let's Encrypt TLS certificates validated by DNS challenges","archived":false,"fork":false,"pushed_at":"2026-04-28T08:37:57.000Z","size":2336,"stargazers_count":563,"open_issues_count":33,"forks_count":93,"subscribers_count":9,"default_branch":"main","last_synced_at":"2026-04-28T09:20:05.128Z","etag":null,"topics":["certbot","dns","dns-challenge","docker","letsencrypt","lexicon","ssl","ssl-certificate"],"latest_commit_sha":null,"homepage":"https://dnsrobocert.readthedocs.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adferrand.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2017-06-15T20:19:05.000Z","updated_at":"2026-04-28T08:02:12.000Z","dependencies_parsed_at":"2024-01-14T16:08:59.248Z","dependency_job_id":"da78e100-9545-488e-926b-2d6042d70abb","html_url":"https://github.com/adferrand/dnsrobocert","commit_stats":{"total_commits":862,"total_committers":29,"mean_commits":"29.724137931034484","dds":"0.27262180974477956","last_synced_commit":"292b93ad8e035786f59a44fe17f829ce2018036c"},"previous_names":[],"tags_count":105,"template":false,"template_full_name":null,"purl":"pkg:github/adferrand/dnsrobocert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adferrand%2Fdnsrobocert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adferrand%2Fdnsrobocert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adferrand%2Fdnsrobocert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adferrand%2Fdnsrobocert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adferrand","download_url":"https://codeload.github.com/adferrand/dnsrobocert/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adferrand%2Fdnsrobocert/sbom","scorecard":{"id":166305,"data":{"date":"2025-08-11","repo":{"name":"github.com/adferrand/dnsrobocert","commit":"0086a1b555cf6b8161dbc8815f1933b8a8677f1c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/25 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/pages.yml:9","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/test-results.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/pages.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-results.yaml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/adferrand/dnsrobocert/test-results.yaml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:13: pin your Docker image by updating docker.io/python:3.11.12-slim to docker.io/python:3.11.12-slim@sha256:dbf1de478a55d6763afaa39c2f3d7b54b25230614980276de5cacdde79529d0c","Warn: pipCommand not pinned by hash: Dockerfile:5-11","Warn: downloadThenRun not pinned by hash: Dockerfile:20-29","Warn: pipCommand not pinned by hash: Dockerfile:20-29","Warn: downloadThenRun not pinned by hash: .github/workflows/main.yml:62","Info:   0 out of  15 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  11 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of   2 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:23"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 5 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-16T14:58:29.021Z","repository_id":38272077,"created_at":"2025-08-16T14:58:29.022Z","updated_at":"2025-08-16T14:58:29.022Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32375625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T09:24:15.638Z","status":"ssl_error","status_checked_at":"2026-04-28T09:24:15.071Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certbot","dns","dns-challenge","docker","letsencrypt","lexicon","ssl","ssl-certificate"],"created_at":"2024-08-01T12:04:25.320Z","updated_at":"2026-04-28T10:01:11.562Z","avatar_url":"https://github.com/adferrand.png","language":"Python","funding_links":[],"categories":["Python","docker"],"sub_categories":[],"readme":"======\n|logo|\n======\n\n|version| |python_support| |docker| |ci| |coverage|\n\n.. |logo| image:: https://adferrand.github.io/dnsrobocert/_images/dnsrobocert.svg\n    :alt: DNSroboCert\n.. |version| image:: https://img.shields.io/pypi/v/dnsrobocert\n    :target: https://pypi.org/project/dnsrobocert/\n.. |python_support| image:: https://img.shields.io/pypi/pyversions/dnsrobocert\n    :target: https://pypi.org/project/dnsrobocert/\n.. |docker| image:: https://img.shields.io/docker/pulls/adferrand/dnsrobocert\n    :target: https://hub.docker.com/r/adferrand/dnsrobocert\n.. |ci| image:: https://img.shields.io/github/actions/workflow/status/adferrand/dnsrobocert/main.yml?branch=master\n    :target: https://github.com/adferrand/dnsrobocert/actions/workflows/main.yml\n.. |coverage| image:: https://img.shields.io/codecov/c/github/adferrand/dnsrobocert/master\n    :target: https://app.codecov.io/gh/adferrand/dnsrobocert/branch/master\n\n.. contents:: Table of Contents\n   :local:\n\n.. tag:intro-begin\n\nFeatures\n========\n\nDNSroboCert is designed to manage `Let's Encrypt`_ SSL certificates based on `DNS challenges`_.\n\n* Let's Encrypt wildcard and regular certificates generation by Certbot_ using DNS challenges,\n* Integrated automated renewal of almost expired certificates,\n* Standardized API through Lexicon_ library to insert the DNS challenge with various DNS providers,\n* Centralized YAML configuration file to maintain several certificates and several DNS providers\n  with configuration validity control,\n* Modification of container configuration without restart,\n* Flexible hooks upon certificate creation/renewal including containers restart, commands in containers\n  or custom hooks,\n* Support for `DNS alias mode`_ (see the ``follow_cnames`` option in the `certificate section`_),\n* Linux, Mac OS X and Windows support, with a particular care for Docker services,\n* Delivered as a standalone application and a Docker image.\n\n.. _DNS alias mode: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode\n.. _certificate section: https://adferrand.github.io/dnsrobocert/configuration_reference.html#certificates-section\n\nWhy use DNSroboCert\n===================\n\nIf you are reading these lines, you certainly want to secure all your services using Let's Encrypt SSL\ncertificates, which are free and accepted everywhere.\n\nIf you want to secure Web services through HTTPS, there is already plenty of great tools. In the Docker\nworld, one can check Traefik_, or nginx-proxy_ + letsencrypt-nginx-proxy-companion_. Basically, theses tools\nwill allow automated and dynamic generation/renewal of SSL certificates, based on TLS or HTTP challenges,\non top of a reverse proxy to encrypt everything through HTTPS.\n\nSo far so good, but you may fall in one of the following categories:\n\n1. You are in a firewalled network, and your HTTP/80 and HTTPS/443 ports are not opened to the outside world.\n2. You want to secure non-Web services (like LDAP, IMAP, POP, etc.) were the HTTPS protocol is of no use.\n3. You want to generate a wildcard certificate, valid for any sub-domain of a given domain.\n\nFor the first case, ACME servers need to be able to access your website through HTTP (for HTTP challenges)\nor HTTPS (for TLS challenges) in order to validate the certificate. With a firewall these two challenges -\nwhich are widely used in HTTP proxy approaches - will not be usable: you need to ask a DNS challenge.\nPlease note that traefik embed DNS challenges, but only for few DNS providers.\n\nFor the second case, there is no website to use TLS or HTTP challenges, and you should ask a DNS challenge.\nOf course you could create a \"fake\" website to validate the domain using a HTTP challenge, and reuse the\ncertificate on the \"real\" service. But it is a workaround, and you have to implement a logic to propagate\nthe certificate, including during its renewal. Indeed, most of the non-Web services will need to be\nrestarted each time the certificate is renewed.\n\nFor the last case, the use of a DNS challenge is mandatory. Then the problems concerning certificates\npropagation that have been discussed in the second case will also occur.\n\nThe solution is a dedicated and specialized tool which handles the creation/renewal of Let's Encrypt\ncertificates, and ensure their propagation in the relevant services. It is the purpose of\nthis project.\n\n.. _Let's Encrypt: https://letsencrypt.org/\n.. _DNS challenges: https://tools.ietf.org/html/draft-ietf-acme-acme-01#page-44\n.. _Certbot: https://github.com/certbot/certbot\n.. _Lexicon: https://github.com/AnalogJ/lexicon\n.. _Traefik: https://hub.docker.com/_/traefik/\n.. _nginx-proxy: https://hub.docker.com/r/jwilder/nginx-proxy/\n.. _letsencrypt-nginx-proxy-companion: https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/\n\n.. tag:intro-end\n\nDocumentation\n=============\n\nOnline documentation (user guide, configuration reference) is available in the `DNSroboCert documentation`_.\n\nFor a quick start, please have a look in particular at the `User guide`_ and the `Lexicon provider configuration`_.\n\nSupport\n=======\n\nDo not hesitate to join the `DNSroboCert community on Github Discussions`_ if you need help to use or develop DNSroboCert!\n\nContributing\n============\n\nIf you want to help in the DNSroboCert development, you are welcome!\nPlease have a look at the `Developer guide`_ page to know how to start.\n\n.. _DNSroboCert documentation: https://adferrand.github.io/dnsrobocert/\n.. _User guide: https://adferrand.github.io/dnsrobocert/user_guide.html\n.. _Lexicon provider configuration: https://dns-lexicon.github.io/dns-lexicon/providers_options.html\n.. _Developer guide: https://adferrand.github.io/dnsrobocert/developer_guide.html\n.. _DNSroboCert community on Github Discussions: https://github.com/adferrand/dnsrobocert/discussions\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadferrand%2Fdnsrobocert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadferrand%2Fdnsrobocert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadferrand%2Fdnsrobocert/lists"}