Certbot plugin for authentication using Burp Collaborator

This is a plugin for Certbot that uses private Burp Collaborator server in order to perform DNS-01 challenge.

Prerequsites

• A fully functionnal private Collaborator server.
• The Collaborator runs with a systemd service "owned" by the user. Examples:
  • The server runs with the Linux user bc and the systemd service is named collaborator.service.
  • bc is a lingered user (sudo loginctl enable-linger bc).
  • bc must be able to run systemctl --user start|stop|restart collaborator.service.

Tested on Ubuntu server 24.04 with certbot 2.9.0

Installation

We assume bc home struture is the following:

/home/bc/
├─ bin/
│  ├─ burp.jar # BurpSuite binary
├─ conf/
│  ├─ bc.example.com.conf # Collaborator configuration file
├─ certbot/
│  ├─ certbot-plugin-burpcollaborator/
│  │  ├─ certbot_bc.ini
│  │  ├─ [...]
│  ├─ conf/
│  ├─ logs/
│  ├─ workdir/

With the bc user privileges and within its home, run those commands:

$ sudo apt install certbot python3-pip pkg-config libsystemd-dev
$ cd certbot
$ git clone https://github.com/AlmondOffSec/certbot-plugin-burpcollaborator
$ cd certbot-plugin-burpcollaborator
$ # We assume here that the server is dedicated to the collaborator,
$ # thus --break-system-packages, will in fact, not break anything
$ pip install . --break-system-packages

Usage

First time:

$ certbot certonly --authenticator dns-burpcollaborator --dns-burpcollaborator-config /home/bc/certbot/certbot-plugin-burpcollaborator/certbot_bc.ini -d \*.bc.example.com --server https://acme-v02.api.letsencrypt.org/directory --config-dir /home/bc/certbot/conf --work-dir /home/bc/certbot/workdir --logs-dir /home/bc/certbot/logs --register-unsafely-without-email --agree-tos

If the previous command is sucessful, /home/bc/certbot/conf/live/bc.example.com/ now contains the valid certificate. Thus, you can modify your collaborator file to include them.

"eventCapture": {
                "ssl": 
                    {
                        "certificateFiles": 
                        [
                            "/home/bc/certbot/conf/live/bc.example.com/privkey.pem", 
                            "/home/bc/certbot/conf/live/bc.example.com/cert.pem", 
                            "/home/bc/certbot/conf/live/bc.example.com/chain.pem"
                        ]
                    }
                [...]
                }

bc crontab:

0 0 * * 5 XDG_RUNTIME_DIR=/run/user/1001 /usr/bin/certbot renew -q --cert-name bc.example.com --authenticator dns-burpcollaborator --dns-burpcollaborator-config /home/bc/certbot/certbot-plugin-burpcollaborator/certbot_bc.ini --server https://acme-v02.api.letsencrypt.org/directory --config-dir /home/bc/certbot/conf --work-dir /home/bc/certbot/workdir --logs-dir /home/bc/certbot/logs --register-unsafely-without-email --agree-tos --deploy-hook 'systemctl --machine bc@.host --user restart collaborator.service'

Notes:

• XDG_RUNTIME_DIR=/run/user/1001: replace 1001 by the uid of the bc user
• --deploy-hook 'systemctl --machine bc@.host --user restart collaborator.service': bc is the name of the user that runs the Burp Collaborator, collaborator.service is the name of th Burp Collaborator service.

Credits

This plugin is based on certbot-plugin-gandi