# PowerDNS - Letsencrypt

This role extends the PowerDNS role with another backend to handle Letsencrypt challenges.

## operation

We register a [PowerDNS pipe backend](https://doc.powerdns.com/authoritative/backends/pipe.html) and deploy a python script to serve it.
The script is stored at `/usr/local/bin/pdns.py`. This script processes queries matching the regex `^_acme-challenge\\.`.
It can also be called directly with `pdns.py add_challenge <dns entry> <value>` to add challenges, for example `pdns.py add_challenge "_acme-challenge.example.com" "R8aa0mt6cnCVLF6RHsSNxmDBzJffNCK6"`
Challenges older than two days are removed when a new entry is added.
This can be automated using tokens (see `pdns.py --help`) and ssh forced commands.

## parameters

All config is to be placed inside the `powerdns` dict in another dict called `letsencrypthandler`
```
# path to save the internaly used sqlite database to
dbpath: '/var/lib/powerdns/letsencrypt/challenges.sqlite'

```