Namecheap DNS Authenticator for Certbot

Warnings

• gotcha Namecheap API access is restricted. To activate API access, your Namecheap account must meet at least one of these requirements: have at least 20 domains, have at least $50 on your account balance, or have spent at least $50 within the last 2 years.
  Fix: Ensure your Namecheap account meets the API activation criteria or contact Namecheap support.
• gotcha Namecheap API requires IP whitelisting. If your server has a dynamic IP address, automation of certificate renewal might fail as the API only allows requests from whitelisted IPs.
  Fix: Use a static IP address for your server, or if on a dynamic IP, consider an alternative DNS provider with dynamic IP support for API access, or implement a mechanism to update the whitelisted IP dynamically before renewal.
• gotcha The credentials file containing your Namecheap API key is highly sensitive. If compromised, it could grant full control over your Namecheap account.
  Fix: Always set restrictive file permissions (e.g., `chmod 600`) on your API credentials file and store it in a secure location. Avoid hardcoding credentials directly in scripts or version control.
• gotcha DNS propagation delays can cause Certbot validation to fail. While Certbot and the plugin usually handle waits, unusually slow DNS updates can still lead to errors.
  Fix: If validation fails, retry after a few minutes to allow more time for DNS changes to propagate. You can manually check TXT record propagation using `dig TXT _acme-challenge.yourdomain.com`.

Install

• pip install certbot Install Certbot (if not already installed)
• pip install certbot-dns-namecheap Install Namecheap DNS plugin

Imports

• certbot-dns-namecheap:dns-namecheap

  Used via Certbot CLI: certbot certonly -a certbot-dns-namecheap:dns-namecheap ...

  This is a Certbot plugin and is loaded dynamically by the Certbot client, not imported directly in Python code by the end-user.

Quickstart

To quickly get started, first, create a credentials file (e.g., `namecheap.ini`) with your Namecheap API username and API key. Ensure this file has restrictive permissions (e.g., `chmod 600 namecheap.ini`). Then, use the `certbot` command-line tool with the `certbot-dns-namecheap:dns-namecheap` authenticator, pointing to your credentials file. The example includes obtaining a wildcard certificate. Remember to test with `--test-cert` first.

# 1. Create a credentials INI file (e.g., namecheap.ini) with your Namecheap API details.
#    Ensure this file has restricted permissions (e.g., chmod 600 namecheap.ini).
#    You can get your API Key from your Namecheap account's API Management page.
#
# namecheap.ini content:
# dns_namecheap_username = your_namecheap_username
# dns_namecheap_api_key = your_namecheap_api_key

import os

# For demonstration, use environment variables to populate the INI content
# In a real scenario, you'd create the file manually or securely programmatically.
username = os.environ.get('NAMECHEAP_USERNAME', 'your_namecheap_username')
api_key = os.environ.get('NAMECHEAP_API_KEY', 'your_namecheap_api_key')

ini_content = f"""
dns_namecheap_username = {username}
dns_namecheap_api_key = {api_key}
"""

creds_file = 'namecheap.ini'
with open(creds_file, 'w') as f:
    f.write(ini_content)
os.chmod(creds_file, 0o600) # Set restrictive permissions

# 2. Run Certbot with the Namecheap DNS authenticator
#    Replace example.com with your actual domain and your@email.com with your email.
#    Use --test-cert for initial testing to avoid hitting Let's Encrypt rate limits.
print(f"\nNow run this command in your terminal:\n")
print(f"certbot certonly \
  --authenticator certbot-dns-namecheap:dns-namecheap \
  --certbot-dns-namecheap:dns-namecheap-credentials {creds_file} \
  --agree-tos \
  --no-eff-email \
  --email your@email.com \
  -d example.com -d *.example.com \
  --test-cert")
print(f"\nAfter successful testing, remove --test-cert for a live certificate.")