certbot: allow dns-persist-01 to run with no hooks

2026-06-10 09:10:37 -04:00 · 2026-05-13 16:01:52 -07:00 · 2026-05-13 16:01:52 -07:00 · c564a5d222
commit c564a5d222
parent 38bc452282
2 changed files with 13 additions and 7 deletions
--- a/certbot/src/certbot/_internal/plugins/manual.py
+++ b/certbot/src/certbot/_internal/plugins/manual.py
@ -112,11 +112,6 @@ permitted by DNS standards.)
            help='Path or command to execute for the cleanup script')

    def prepare(self) -> None:  # pylint: disable=missing-function-docstring
-        if self.config.noninteractive_mode and not self.conf('auth-hook'):
-            raise errors.PluginError(
-                'An authentication script must be provided with --{0} when '
-                'using the manual plugin non-interactively.'.format(
-                    self.option_name('auth-hook')))
        self._validate_hooks()

    def _validate_hooks(self) -> None:
@ -178,6 +173,13 @@ permitted by DNS standards.)
        responses = []
        last_dns_achall = 0
        for i, achall in enumerate(achalls):
+            # only dns-persist-01 challenges should be both non-interactive and have no auth hook
+            if not isinstance(achall.chall, challenges.DNSPersist01) \
+                and self.config.noninteractive_mode and not self.conf('auth-hook'):
+                raise errors.PluginError(
+                    'An authentication script must be provided with --{0} when '
+                    'using the manual plugin non-interactively.'.format(
+                        self.option_name('auth-hook')))
            if isinstance(achall.chall, (challenges.DNS01, challenges.DNSPersist01)):
                last_dns_achall = i
        for i, achall in enumerate(achalls):
--- a/certbot/src/certbot/_internal/tests/plugins/manual_test.py
+++ b/certbot/src/certbot/_internal/tests/plugins/manual_test.py
@ -60,10 +60,14 @@ class AuthenticatorTest(test_util.TempDirTestCase):
        from certbot._internal.plugins.manual import Authenticator
        self.auth = Authenticator(self.config, name='manual')

-    def test_prepare_no_hook_noninteractive(self):
+    def test_perform_no_hook_noninteractive(self):
        self.config.noninteractive_mode = True
        with pytest.raises(errors.PluginError):
-            self.auth.prepare()
+            _ = self.auth.perform(self.achalls)
+        dns_persist_achalls = [achall for achall in self.achalls \
+            if isinstance(achall.chall, challenges.DNSPersist01)]
+        assert len(dns_persist_achalls) == 3
+        _ = self.auth.perform(dns_persist_achalls)

    def test_prepare_bad_hook(self):
        self.config.manual_auth_hook = os.path.abspath(os.sep)  # is / on UNIX