diff --git a/dnsapi2.md b/dnsapi2.md index 2a8176f..21dfa66 100644 --- a/dnsapi2.md +++ b/dnsapi2.md @@ -2198,13 +2198,19 @@ Report any bugs or issues [here](https://github.com/acmesh-official/acme.sh/issu 2. [Create an OAuth application at Yandex ID](https://oauth.yandex.ru/client/new). 3. Choose "Web services" platform. 4. Set Redirect URI to `https://oauth.yandex.ru/verification_code`. -5. Select the "Manage DNS records" (directory:manage_dns) permission. +5. Select the following permissions: + - "Manage DNS records" (directory:manage_dns) + - "Read organization data" (directory:read_organization) (optional if the user exports the YANDEX360_ORG_ID variable manually) + - "Read organization domain data" (directory:read_domains) 6. Save the Client ID and Client Secret. ### b. Obtain Yandex 360 Organization ID: +*This step is optional as the Organization ID can be obtained automatically. However, the user can specify it manually as described below.* + 1. After setting up the OAuth application, [visit Yandex 360 for Business Administration](https://admin.yandex.ru/). -2. In the lower-left corner of the page, find and note the Organization ID. +2. In the upper-left corner of the page, select the correct organization from the list if you have multiple organizations. +3. In the lower-left corner of the page, find and note the Organization ID. ### c. Set up environment variables: @@ -2217,7 +2223,7 @@ Export the following variables: ``` export YANDEX360_CLIENT_ID="your_client_id" export YANDEX360_CLIENT_SECRET="your_client_secret" -export YANDEX360_ORG_ID="your_organization_id" +export YANDEX360_ORG_ID="your_organization_id" # optional if directory:read_organization permission is granted ``` #### ii. Manually obtained access token: @@ -2231,7 +2237,7 @@ export YANDEX360_ORG_ID="your_organization_id" ``` export YANDEX360_ACCESS_TOKEN="your_access_token" -export YANDEX360_ORG_ID="your_organization_id" +export YANDEX360_ORG_ID="your_organization_id" # optional if directory:read_organization permission is granted ``` ### d. Issue/renew certificate: @@ -2242,7 +2248,7 @@ Use the `acme.sh` command with the `--dns dns_yandex360` parameter. For example: acme.sh --issue --dns dns_yandex360 --dnssleep 600 -d example.com -d *.example.com ``` -When using OAuth you will need to complete an one-time authorization procedure: +When using OAuth you will need to complete a one-time authorization procedure: 1. On first run, the script will initiate the device authorization process. 2. You'll be prompted to visit a URL and enter a code for authorization. 3. After successful authorization, the access token will be obtained automatically. @@ -2253,6 +2259,7 @@ When using OAuth you will need to complete an one-time authorization procedure: - If you are using the manual token method, you will need to update `YANDEX360_ACCESS_TOKEN` manually due to the limited token lifespan. - Ensure you include the `--dnssleep` option with a value of at least 600 seconds (10 minutes) to account for the slow DNS record propagation on Yandex 360 DNS. - Whenever possible, use the OAuth method as it provides automatic token refresh and a higher level of security. +- Yandex 360 Organization ID can be obtained automatically if the "Read organization data" (directory:read_organization) permission is granted. If not, you must export `YANDEX360_ORG_ID` variable manually. - [You can learn more about the Yandex 360 for Business DNS API access procedure here.](https://yandex.ru/dev/api360/doc/concepts/access.html) - [You can learn more about the OAuth device authorization flow here.](https://yandex.ru/dev/id/doc/ru/codes/screen-code-oauth) - [You can learn more about obtaining debug tokens here.](https://yandex.ru/dev/id/doc/ru/tokens/debug-token)