Skip to content
acmesh-official
/
acme.sh

Type / to search

Code
Issues
907
Pull requests
198
Discussions
Actions
Projects
Wiki
Security
Insights
dnsapi

Josef Vybíhal edited this page 2 weeks ago · 257 revisions
 Pages 66
Find a page…
Home
Blogs and tutorials
BuyPass.com CA
CA
Change default CA to ZeroSSL
Code of conduct
Deploy ssl certs to apache server
Deploy ssl certs to nginx
Deploy ssl to SolusVM
deploy to docker containers
deployhooks
DNS alias mode
DNS API Dev Guide
DNS API Test
DNS manual mode
 Add a custom sidebar
Clone this wiki locally
https://github.com/acmesh-official/acme.sh.wiki.git
How to use DNS API
If your DNS provider doesn't provide API access, you can use our DNS alias mode

1. CloudFlare
2. DNSPod.cn Option:
4. Use GoDaddy.com domain API to automatically issue cert
5. Use PowerDNS embedded API to automatically issue cert
6. Use OVH, Kimsufi, So you Start API to automatically issue cert
7. Use nsupdate to automatically issue cert
8. Use LuaDNS domain API
9. Use DNSMadeEasy domain API
10. Use Amazon Route53 domain API
11. Use Aliyun domain API to automatically issue cert
12. Use ISPConfig 3.1 API
13. Use Alwaysdata domain API
14. Use Linode domain API
15. Use FreeDNS
16. Use cyon.ch
18. Use Gandi LiveDNS API
19. Use Knot (knsupdate) DNS API to automatically issue cert
20. Use DigitalOcean API (native)
21. Use ClouDNS.net API
22. Use Infoblox API
23. Use VSCALE API
24. Use Dynu API
25. Use DNSimple API
26. Use NS1.com API
27. Use DuckDNS.org API
28. Use Name.com API
29. Use Dyn Managed DNS API to automatically issue cert
30. Use pdd.yandex.ru API
31. Use Hurricane Electric
33. Use INWX
35. Use Namesilo.com API
36. Use autoDNS (InternetX)
37. Use Azure DNS
38. Use selectel.com(selectel.ru) domain API to automatically issue cert
39. Use zonomi.com domain API to automatically issue cert
40. Use DreamHost DNS API
41. Use DirectAdmin API
42. Use KingHost DNS API
43. Use Zilore DNS API
44. Use Loopia API
45. Use ACME DNS API
47. Use Euserv.eu API
48. Use DNSPod.com domain API to automatically issue cert
49. Use Google Cloud DNS API to automatically issue cert
50. Use ConoHa API
53. Use Namecheap
54. Use MyDNS.JP API
55. Use hosting.de API
56. Use Neodigit.net API
57. Use Exoscale API
58. Using PointHQ API to issue certs
59. Use Active24 API
60. Use do.de API
61. Use Nexcess API
62. Use Thermo.io API
63. Use Futurehosting API
65. Use Online API
66. Use MyDevil.net
67. Use Core-Networks API to automatically issue cert
70. Use UltraDNS API
71. Use deSEC.io
72. Use OpenProvider API
73. Use MaraDNS API
74. Use Hetzner API
75. Use DDNSS.de API
76. Use NLnetLabs NSD
76. Use Schlundtech
77. Use your one.com credentials as you would login into the control panel.
78. Use AcmeProxy DNS API
79. Use internetbs.net API
80. Use durabledns.com API
81. Use reg.ru API
82. Use Vultr DNS API to automatically issue cert
83. Use jdcloud.com DNS API to automatically issue cert
84. Use hexonet.com DNS API to automatically issue a cert
85. Use Domeneshop DNS API to automatically issue a cert
86. Use OPNsense embedded API to automatically issue cert
87. Use the RcodeZero API to automatically issue cert
88. Use MailinaBox
89. Use nic.ru DNS
90. Use Leaseweb.com domain API to automatically issue cert
91. Use variomedia.de domain API to automatically issue cert
92. Use Plesk XML API to automatically issue cert
93. Use PDNS Manager API
94. Use Misaka.io domain API
95. Use easyDNS.net API to automatically issue a cert
96. Use CloudDNS API to automatically issue a cert
97. Use dynv6 API to automatically issue a cert
98. Use All-Inkl.com domain API to automatically issue cert
99. Use Constellix domain API
100. Use Namemaster domain API
101. Use HostingUkraine domain API
102. Use ArvanCloud domain API
103. Use Joker.com domain API
104. Use 1984Hosting domain API
105. Use Aruba domain API
106. Use TransIP domain API:
107. Use dyndnsfree.de API
108. Use Njalla API
109. Use Vercel API
110. Use Hetzner DNS API
111. Use kapper.net DNS API
112. Use Wedos API
113. Use Shellrent API
114. Use OpenStack domain API
115. Use Netlify API
116. Use Akamai Edge DNS API
117. Use WEDOS DNS API
118. Use Websupport DNS API
119. Use infomaniak.com API
120. Use bookmyname.com API
121. Use anexia.com CloudDNS API
122. Use Synology DSM Synology DNS Server API
123. Use HuaweiCloud API
124. Use Simply.com API
125. Use World4You API
126. Use Scaleway API
128. Use RackCorp API
129. Using the IONOS domain API
130. Using the Porkbun API
131. Using the Aurora API
132. Using the Azion DNS API
133. Using Oracle Cloud Infrastructure DNS
134. Utilisation de l'API DNS Hostline Hébergement VPS
135. Use Veesp domain API
136. Use cPanel DNS systems
137. Use ISPMan domain API
138. Use dnsHome.de DNS API
139. Use mythic-beasts.com DNS API
140. Use s-dns.de API
141. Using the united-domains reselling DNS API
142. Using the curanet DNS API
143. Use ArtFiles.de DNS API
144. Use Geoscaling.com DNS2
145. Use fornex.com API
146. Use DNS.Services API
147. Use Nodion DNS API
148. Use dns.la API
149. Use Yandex Cloud DNS API
150. Use Bunny DNS API to automatically issue cert
151. Use Selfhost DNS API
152. Use rage4 DNS API
153. Use GCore DNS API
154. Use dynadot DNS API
155. Use IPv64 DNS API
156. Use Nanelo DNS API
157. Use Google Domains DNS API
158. Use DNSExit API
159. Use Samba AD DC API
Use custom API
Use lexicon DNS API
1. CloudFlare Option:
Cloudflare Domain API offers two methods to automatically issue certs:

(a) creating a restrictive API token with specific permissions; or
(b) using the global API key associated with your Cloudflare account, which has all permissions.

Using method (b) is strongly NOT recommended as leakage of the global API token will completely compromise your account, though the key can be reset if this occurs. By contrast, method (a) is recommended because if a restrictive API token is leaked, the attack surface is small, it can simply be deleted/revoked, and its permissions can also be changed at any time via your Cloudflare profile settings.

(a) Using a restrictive API token
You will need to create an API token which either:

(i) has permissions to edit a single specific DNS zone; or
(ii) has permissions to edit multiple DNS zones.

You can do this via your Cloudflare profile page, under the API Tokens section. When your create the token, under Permissions, select Zone > DNS > Edit, and under Zone Resources, only include the specific DNS zones within which you need to perform ACME DNS challenges.

The API token is a 40-character string that may contain uppercase letters, lowercase letters, numbers, and underscores. You must provide it to acme.sh by setting the environment variable CF_Token to its value, e.g. run export CF_Token="Y_jpG9AnfQmuX5Ss9M_qaNab6SQwme3HWXNDzRWs".

(i) Single DNS zone
You must give acme.sh the zone ID of the DNS zone it needs to edit. This is a 32-character hexadecimal string (e.g. 763eac4f1bcebd8b5c95e9fc50d010b4), and should not be confused with the zone name (e.g. example.com). This zone ID can be found via the Cloudflare dashboard, on the zone's Overview page, in the right-hand sidebar.

You provide this info by setting the environment variable CF_Zone_ID to this zone ID, e.g. run export CF_Zone_ID="763eac4f1bcebd8b5c95e9fc50d010b4".

(ii) Multiple DNS zones
You must give acme.sh the account ID of the Cloudflare account to which the relevant DNS zones belong. This is a 32-character hexadecimal string, and should not be confused with other account identifiers, such as the account email address (e.g. alice@example.com) or global API key (which is also a 32-character hexadecimal string). This account ID can be found via the Cloudflare dashboard, as the end of the URL when logged in, or on the Overview page of any of your zones, in the right-hand sidebar, beneath the zone ID.

You provide this info by setting the environment variable CF_Account_ID to this account ID, e.g. run export CF_Account_ID="763eac4f1bcebd8b5c95e9fc50d010b4".

(b) Using the global API key
You can get your global API key from your Cloudflare profile page, under the API tokens section. Click "View" next to Global API key, verify your Cloudflare password, and it will be revealed to you. It is a 32-character hexadecimal string that you must provide to acme.sh by setting the environment variable CF_Key to its value. You must also set CF_Email to the email address that is associated with your Cloudflare account; this is the email address you enter when logging in to Cloudflare. For example:

export CF_Key="763eac4f1bcebd8b5c95e9fc50d010b4"
export CF_Email="alice@example.com"
Getting a certificate
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_cf -d example.com -d '*.example.com'
Any environment variables that were set and used when issuing the certificate will be saved in ~/.acme.sh/account.conf so that they can be automatically reused in future when issuing new certificates or renewing existing certificates using dns_cf.

2. DNSPod.cn Option:
The DNSPod.cn Domain API option requires that you first login to your account to get a DNSPod API Key and ID.

export DP_Id="<id>"
export DP_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_dp -d example.com -d *.example.com
The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

3. CloudXNS.com
Removed

4. Use GoDaddy.com domain API to automatically issue cert
First you need to login to your GoDaddy account to get your API Key and Secret.

https://developer.godaddy.com/keys/

Please create a Production key, instead of a Test key.

export GD_Key="<key>"
export GD_Secret="<secret>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_gd -d example.com -d *.example.com
The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

5. Use PowerDNS embedded API to automatically issue cert
First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration.

https://doc.powerdns.com/md/httpapi/README/

export PDNS_Url="http://ns.example.com:8081"
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_pdns -d example.com -d *.example.com
The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.conf and will be reused when needed.

6. Use OVH, Kimsufi, So you Start API to automatically issue cert
See How to use OVH domain API

7. Use nsupdate to automatically issue cert
ncupdate is RFC 2136 Dynamic DNS Update client. Man page

First, generate a key for updating the zone

b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo)
cat > /etc/named/keys/update.key <<EOF
key "update" {
    algorithm hmac-sha512;
    secret "$(awk '/^Key/{print $2}' /tmp/$b.private)";
};
EOF
rm -f /tmp/$b.{private,key}
Include this key in your named configuration

include "/etc/named/keys/update.key";
Next, configure your zone to allow dynamic updates.

Depending on your named version, use either

zone "example.com" {
    type master;
    allow-update { key "update"; };
};
or

zone "example.com" {
    type master;
    update-policy {
        grant update subdomain example.com.;
    };
}
Notes on BIND 9.16.1-Ubuntu 20.04.3 LTS

# dnssec-keygen no longer do tsig algorithm, so tsig-keygen (came with bind9)
tsig-keygen -a hmac-sha512 acme | sudo tee /etc/bind/acme.key
# as nsupdate need creation of *.jnl where zone file resides, read /var/log/syslog for error details
sudo chmod g+w /etc/bind
# similar to above steps: include key, allow-update with key on target zone
# echo 'include "/etc/bind/acme.key";' | sudo tee --append /etc/bind/named.conf.local
Finally, make the DNS server and update Key available to acme.sh

export NSUPDATE_SERVER="dns.example.com"
export NSUPDATE_KEY="/path/to/your/nsupdate.key"
and optionally (depending on DNS server)

export NSUPDATE_ZONE="example.com"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_nsupdate -d example.com -d *.example.com
The NSUPDATE_SERVER, NSUPDATE_KEY, and NSUPDATE_ZONE settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

8. Use LuaDNS domain API
Get your API token at https://api.luadns.com/settings

export LUA_Key="<key>"
export LUA_Email="youremail@example.com"
To issue a cert:

./acme.sh --issue --dns dns_lua -d example.com -d *.example.com
The LUA_Key and LUA_Email will be saved in ~/.acme.sh/account.conf and will be reused when needed.

9. Use DNSMadeEasy domain API
Get your API credentials at https://cp.dnsmadeeasy.com/account/info

export ME_Key="<key>"
export ME_Secret="<secret>"
To issue a cert:

./acme.sh --issue --dns dns_me -d example.com -d *.example.com
The ME_Key and ME_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

10. Use Amazon Route53 domain API
See How to use Amazon Route53 API

export  AWS_ACCESS_KEY_ID="<key id>"
export  AWS_SECRET_ACCESS_KEY="<secret>"
To issue a cert:

./acme.sh --issue --dns dns_aws -d example.com -d *.example.com
If you get an AWS Route53 rate exceeded error, you can add a sleep time between api requests:

export  AWS_DNS_SLOWRATE=1 (sleep between API requests in seconds)
The AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_DNS_SLOWRATE will be saved in ~/.acme.sh/account.conf and will be reused when needed. The AWS_DNS_SLOWRATE will enable the sleep between API requests to AWS servers. It will help to mitigate the AWS rate limit

11. Use Aliyun domain API to automatically issue cert
First you need to login to your Aliyun account to get your RAM API key. https://ram.console.aliyun.com/users

export Ali_Key="<key>"
export Ali_Secret="<secret>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_ali -d example.com -d *.example.com
The Ali_Key and Ali_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

12. Use ISPConfig 3.1 API
This only works for ISPConfig 3.1 (and newer).

Create a Remote User in the ISPConfig Control Panel. The Remote User must have access to at least DNS zone functions, DNS txt functions and Client functions.

export ISPC_User="xxx"
export ISPC_Password="xxx"
export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"
export ISPC_Api_Insecure=1
If you have installed ISPConfig on a different port, then alter the 8080 accordingly. Leave ISPC_Api_Insecure set to 1 if you have no valid ssl cert for your installation. Change it to 0 if you have a valid ssl cert.

To issue a cert:

./acme.sh --issue --dns dns_ispconfig -d example.com -d *.example.com
The ISPC_User, ISPC_Password, ISPC_Apiand ISPC_Api_Insecure will be saved in ~/.acme.sh/account.conf and will be reused when needed.

13. Use Alwaysdata domain API
First you need to login to your Alwaysdata account to get your API Key.

export AD_API_KEY="<myalwaysdataapikey>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_ad -d example.com -d *.example.com
The AD_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

14. Use Linode domain API
Cloud Manager
Cloud Manager: https://cloud.linode.com/profile/tokens

First you need to login to your Linode account to get your API Key.

Click on "Add a Personal Access Token".
Give the new key a "Label" (we recommend ACME)
Give it Read/Write access to "Domains"
"Submit" and copy the new key into the LINODE_V4_API_KEY command below.
export LINODE_V4_API_KEY="..."
Due to the reload time of any changes in the DNS records, we have to use the dnssleep option to wait at least 15 minutes for the changes to take effect.

Ok, let's issue a cert now:

./acme.sh --issue --dns dns_linode_v4 -d example.com -d *.example.com --dnssleep 900
The LINODE_V4_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

15. Use FreeDNS
FreeDNS does not provide an API to update DNS records (other than IPv4 and IPv6 dynamic DNS addresses). The acme.sh plugin therefore retrieves and updates domain TXT records by logging into the FreeDNS website to read the HTML and posting updates as HTTP. The plugin needs to know your userid and password for the FreeDNS website.

export FREEDNS_User="..."
export FREEDNS_Password="..."
You need only provide this the first time you run the acme.sh client with FreeDNS validation and then again whenever you change your password at the FreeDNS site. The acme.sh FreeDNS plugin does not store your userid or password but rather saves an authentication token returned by FreeDNS in ~/.acme.sh/account.conf and reuses that when needed.

Now you can issue a certificate.

./acme.sh --issue --dns dns_freedns -d example.com -d *.example.com
Note that you cannot use acme.sh automatic DNS validation for FreeDNS public domains or for a subdomain that you create under a FreeDNS public domain. You must own the top level domain in order to automatically validate with acme.sh at FreeDNS.

Report any bugs or issues here

16. Use cyon.ch
You only need to set your cyon.ch login credentials. If you also have 2 Factor Authentication (OTP) enabled, you need to set your secret token too and have oathtool installed.

export CY_Username="your_cyon_username"
export CY_Password="your_cyon_password"
export CY_OTP_Secret="your_otp_secret" # Only required if using 2FA
To issue a cert:

./acme.sh --issue --dns dns_cyon -d example.com -d *.example.com
The CY_Username, CY_Password and CY_OTP_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

17. Use Domain-Offensive/Resellerinterface/Domainrobot API
Removed

18. Use Gandi LiveDNS API
You must enable the new Gandi LiveDNS API first and then create your Personal Access Token (PAT) or api key (deprecated), See: https://api.gandi.net/docs/livedns/ and https://docs.gandi.net/en/managing_an_organization/organizations/personal_access_token.html

export GANDI_LIVEDNS_TOKEN="<key>"
or (deprecated):

export GANDI_LIVEDNS_KEY="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_gandi_livedns -d example.com -d *.example.com
19. Use Knot (knsupdate) DNS API to automatically issue cert
First, generate a TSIG key for updating the zone.

keymgr tsig generate -t acme_key hmac-sha512 > /etc/knot/acme.key
Include this key in your knot configuration file.

include: /etc/knot/acme.key
Next, configure your zone to allow dynamic updates.

Dynamic updates for the zone are allowed via proper ACL rule with the update action. For in-depth instructions, please see Knot DNS's documentation.

acl:
  - id: acme_acl
    address: 192.168.1.0/24
    key: acme_key
    action: update

zone:
  - domain: example.com
    file: example.com.zone
    acl: acme_acl
Finally, make the DNS server and TSIG Key available to acme.sh

export KNOT_SERVER='dns.example.com'
export KNOT_KEY='/etc/knot/acme.key'
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_knot -d example.com -d *.example.com
The KNOT_SERVER and KNOT_KEY settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

20. Use DigitalOcean API (native)
You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/

export DO_API_KEY="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_dgon -d example.com -d *.example.com
21. Use ClouDNS.net API
You need to set the HTTP API user ID and password credentials. See: https://www.cloudns.net/wiki/article/42/. For security reasons, it's recommended to use a sub user ID that only has access to the necessary zones, as a regular API user has access to your entire account.

# Use this for a sub auth ID
export CLOUDNS_SUB_AUTH_ID="<Auth ID>"
# Use this for a regular auth ID
#export CLOUDNS_AUTH_ID="Auth ID"
export CLOUDNS_AUTH_PASSWORD="<password>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_cloudns -d example.com -d *.example.com
The CLOUDNS_AUTH_ID and CLOUDNS_AUTH_PASSWORD will be saved in ~/.acme.sh/account.conf and will be reused when needed.

22. Use Infoblox API
First you need to create/obtain API credentials on your Infoblox appliance.

export Infoblox_Creds="username:password"
export Infoblox_Server="ip or fqdn of infoblox appliance"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_infoblox -d example.com -d *.example.com
Note: This script will automatically create and delete the ephemeral txt record. The Infoblox_Creds and Infoblox_Server will be saved in ~/.acme.sh/account.conf and will be reused when needed.

23. Use VSCALE API
First you need to create/obtain API tokens on your settings panel.

export VSCALE_API_KEY="<api key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_vscale -d example.com -d *.example.com
24. Use Dynu API
First you need to create/obtain API credentials from your Dynu account. See: https://www.dynu.com/resources/api/documentation

export Dynu_ClientId="<client id>"
export Dynu_Secret="<secret>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_dynu -d example.com -d *.example.com
The Dynu_ClientId and Dynu_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

25. Use DNSimple API
First you need to login to your DNSimple.com account and generate a new oauth token.

https://dnsimple.com/a/{your account id}/account/automation

Note: This is an account token and not a user token. The account token is needed to infer the account_id used in requests.

A user token will not be able to determine the correct account to use. You may check tokens at https://dnsimple.com/a//account/access_tokens

export DNSimple_OAUTH_TOKEN="<token>"
To issue the cert just specify the dns_dnsimple API.

./acme.sh --issue --dns dns_dnsimple -d example.com -d *.example.com
The DNSimple_OAUTH_TOKEN will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

26. Use NS1.com API
export NS1_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_nsone -d example.com -d *.example.com
27. Use DuckDNS.org API
DuckDNS.org is a popular free DDNS provider. You can get your own subdomain like mydomain.duckdns.org.

To configure it visit the DuckDNS and get your API token:

export DuckDNS_Token="<token>"
Ok, let's issue a cert now:

acme.sh --issue --dns dns_duckdns -d mydomain.duckdns.org -d *.mydomain.duckdns.org
28. Use Name.com API
Create your API token here: https://www.name.com/account/settings/api

Note: Namecom_Username should be your Name.com username and not the token name. If you accidentally run the script with the token name as the username see ~/.acme.sh/account.conf to fix the issue

export Namecom_Username="<youruser>"
export Namecom_Token="<token>"
And now you can issue certs with:

./acme.sh --issue --dns dns_namecom -d example.com -d *.example.com
If you had Two-step Authentication enabled, make sure to change your security setting, read this guide for help: Using API with Two-step Authentication

Report any bugs or issues here

29. Use Dyn Managed DNS API to automatically issue cert
First, login to your Dyn Managed DNS account: https://portal.dynect.net/login/

It is recommended to add a new user specific for API access.

The minimum "Zones & Records Permissions" required are:

RecordAdd
RecordUpdate
RecordDelete
RecordGet
ZoneGet
ZoneAddNode
ZoneRemoveNode
ZonePublish
Pass the API user credentials to the environment:

export DYN_Customer="<customer>"
export DYN_Username="<apiuser>"
export DYN_Password="<secret>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_dyn -d example.com -d *.example.com
The DYN_Customer, DYN_Username and DYN_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

30. Use pdd.yandex.ru API
export PDD_Token="<token>"
Follow these instructions to get the token for your domain https://tech.yandex.com/domain/doc/concepts/access-docpage/

./acme.sh --issue --dns dns_yandex -d mydomain.example.org -d *.mydomain.example.org
Sometimes cloudflare / google doesn't pick new dns records fast enough. You can add --dnssleep XXX to params as workaround.

Report any bugs or issues here

31. Use Hurricane Electric
Hurricane Electric he.net doesn't have an API so just set your login credentials like so:

export HE_Username="<yourusername>"
export HE_Password="<password>"
Then you can issue your certificate:

./acme.sh --issue --dns dns_he -d example.com -d *.example.com
The HE_Username and HE_Password settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here or to me@ondrejsimek.com.

32. Use UnoEuro API to automatically issue cert
UPD The UnoEuro is now Simply.com

33. Use INWX
INWX.de offers a xmlrpc api with your standard login credentials, set them like so:

export INWX_User="<yourusername>"
export INWX_Password="<password>"
Then you can issue your certificates with:

./acme.sh --issue --dns dns_inwx -d example.com -d *.example.com
The INWX_User and INWX_Password settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

If your account is secured by mobile tan you have also defined the shared secret.

export INWX_Shared_Secret="<shared secret>"
You may need to re-enable the mobile tan to gain the shared secret.

34. User Servercow API v1
Create a new user from the Servercow control center. Don't forget to activate DNS API for this user.

export SERVERCOW_API_Username="<username>"
export SERVERCOW_API_Password="<password>"
Now you cann issue a cert:

./acme.sh --issue --dns dns_servercow -d example.com -d *.example.com
Both, SERVERCOW_API_Username and SERVERCOW_API_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

35. Use Namesilo.com API
You'll need to generate an API key at https://www.namesilo.com/account/api-manager Optionally you may restrict the access to an IP range there.

export Namesilo_Key="<key>"
And now you can issue certs with:

./acme.sh --issue --dns dns_namesilo -d example.com -d *.example.com --dnssleep 900
36. Use autoDNS (InternetX)
InternetX offers a xml api with your standard login credentials, set them like so:

export AUTODNS_USER="yourusername"
export AUTODNS_PASSWORD="password"
export AUTODNS_CONTEXT="context"
Then you can issue your certificates with:

./acme.sh --issue --dns dns_autodns -d example.com -d *.example.com
The AUTODNS_USER, AUTODNS_PASSWORD and AUTODNS_CONTEXT settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

37. Use Azure DNS
You have to create a service principal first. See: How to use Azure DNS

export AZUREDNS_SUBSCRIPTIONID="<SUBSCRIPTIONID>"
export AZUREDNS_TENANTID="<TENANTID>"
export AZUREDNS_APPID="<APPID>"
export AZUREDNS_CLIENTSECRET="<CLIENTSECRET>"
Then you can issue your certificates with:

./acme.sh --issue --dns dns_azure -d example.com -d *.example.com
AZUREDNS_SUBSCRIPTIONID, AZUREDNS_TENANTID,AZUREDNS_APPID and AZUREDNS_CLIENTSECRET settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Alternatively, you can use Managed Identity assigned to a resource instead of a service prinvcipal.

You have to assign a managed identity to your resource, usually a VM, as described here. This identity requires DNS Zone Contributor role.

Before running acme.sh following variables need to bo set: export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef" export AZUREDNS_MANAGEDIDENTITY=true

Issuing certificates using managed identity clears previously set settings: AZUREDNS_TENANTID, AZUREDNS_APPID, AZUREDNS_CLIENTSECRET. AZUREDNS_SUBSCRIPTIONID and AZUREDNS_MANAGEDIDENTITY will be saved in ~/.acme.sh/account.conf for future use.

38. Use selectel.com(selectel.ru) domain API to automatically issue cert
First you need to login to your account to get your API key from: https://my.selectel.ru/profile/apikeys.

export SL_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_selectel -d example.com -d *.example.com
The SL_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

39. Use zonomi.com domain API to automatically issue cert
First you need to login to your account to find your API key from: http://zonomi.com/app/dns/dyndns.jsp

Your will find your api key in the example urls:

https://zonomi.com/app/dns/dyndns.jsp?host=example.com&api_key=1063364558943540954358668888888888
export ZM_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_zonomi -d example.com -d *.example.com
The ZM_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

40. Use DreamHost DNS API
DNS API keys may be created at https://panel.dreamhost.com/?tree=home.api. Ensure the created key has add and remove privileges.

export DH_API_KEY="<api key>"
./acme.sh --issue --dns dns_dreamhost -d example.com -d *.example.com
The DH_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

41. Use DirectAdmin API
The DirectAdmin interface has its own Let's encrypt functionality, but this script can be used to generate certificates for names which are not hosted on DirectAdmin.

User must provide login data and URL to the DirectAdmin incl. port. You can create a user which only has access to

CMD_API_DNS_CONTROL
CMD_API_SHOW_DOMAINS
By using the Login Keys function. See also https://www.directadmin.com/api.php and https://www.directadmin.com/features.php?id=1298

export DA_Api="https://remoteUser:remotePassword@da.domain.tld:8443"
export DA_Api_Insecure=1
Set DA_Api_Insecure to 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)

Ok, let's issue a cert now:

./acme.sh --issue --dns dns_da -d example.com -d *.example.com
The DA_Api and DA_Api_Insecure will be saved in ~/.acme.sh/account.conf and will be reused when needed.

42. Use KingHost DNS API
API access must be enabled at https://painel.kinghost.com.br/painel.api.php

export KINGHOST_Username="yourusername"
export KINGHOST_Password="yourpassword"
./acme.sh --issue --dns dns_kinghost -d example.com -d *.example.com
The KINGHOST_username and KINGHOST_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

43. Use Zilore DNS API
First, get your API key at https://my.zilore.com/account/api

export Zilore_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_zilore -d example.com -d *.example.com
The Zilore_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

44. Use Loopia API
User must provide login credentials to the Loopia API. The user needs the following permissions:

getDomains
getSubdomains
addSubdomain
removeSubdomain
getZoneRecords
addZoneRecord
Set the API endpoint:

export LOOPIA_Api="https://api.loopia.<TLD>/RPCSERV"
Depending on your hosting location, <TLD> is one of: com, no, rs, se. The default endpoint is se TLD.

Set the login credentials:

export LOOPIA_User="user@loopiaapi"
export LOOPIA_Password="password"
And to issue a cert run:

./acme.sh --issue --dns dns_loopia -d example.com -d *.example.com
The exported variables will be saved in ~/.acme.sh/account.conf and will be reused when needed.

45. Use ACME DNS API
ACME DNS is a limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. https://github.com/joohoi/acme-dns

# Usage:
# export ACMEDNS_BASE_URL="https://auth.acme-dns.io"
#
# You can optionally define an already existing account:
#
# export ACMEDNS_USERNAME="<username>"
# export ACMEDNS_PASSWORD="<password>"
# export ACMEDNS_SUBDOMAIN="<subdomain>"

./acme.sh --issue --dns dns_acmedns -d example.com -d *.example.com
The credentials will be saved in ~/.acme.sh/account.conf and will be reused when needed.

46. Use TELE3 API
First you need to login to your TELE3 account to set your API-KEY. https://www.tele3.cz/system-acme-api.html

export TELE3_Key="<key>"
export TELE3_Secret="<secret>"

./acme.sh --issue --dns dns_tele3 -d example.com -d *.example.com
The TELE3_Key and TELE3_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.

47. Use EUserv.eu API
First you need to login to your euserv.eu account and activate your API Administration (API Verwaltung). https://support.euserv.com

Once you've activated, login to your API Admin Interface and create an API account. Please specify the scope (active groups: domain) and assign the allowed IPs.

export EUSERV_Username="99999.user123"
export EUSERV_Password="<password>"
Ok, let's issue a cert now: (Be aware to use the --insecure flag, because the euserv.eu is still using self-signed certificates!)

./acme.sh --issue --dns dns_euserv -d example.com -d *.example.com --insecure
The EUSERV_Username and EUSERV_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues to github@initit.de

48. Use DNSPod.com domain API to automatically issue cert
First you need to get your API Key and ID by this get-the-user-token.

export DPI_Id="<id>"
export DPI_Key="<key>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_dpi -d example.com -d *.example.com
The DPI_Id and DPI_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

49. Use Google Cloud DNS API to automatically issue cert
First you need to authenticate to gcloud.

gcloud init
The dns_gcloud script uses the active gcloud configuration and credentials. There is no logic inside dns_gcloud to override the project and other settings. If needed, create additional gcloud configurations. You can change the configuration being used without activating it; simply set the CLOUDSDK_ACTIVE_CONFIG_NAME environment variable.

To issue a certificate you can:

export CLOUDSDK_ACTIVE_CONFIG_NAME=default  # see the note above
./acme.sh --issue --dns dns_gcloud -d example.com -d *.example.com
dns_gcloud also supports DNS alias mode.

50. Use ConoHa API
First you need to login to your ConoHa account to get your API credentials.

export CONOHA_Username="xxxxxx"
export CONOHA_Password="xxxxxx"
export CONOHA_TenantId="xxxxxx"
export CONOHA_IdentityServiceApi="https://identity.xxxx.conoha.io/v2.0"
To issue a cert:

./acme.sh --issue --dns dns_conoha -d example.com -d *.example.com
The CONOHA_Username, CONOHA_Password, CONOHA_TenantId and CONOHA_IdentityServiceApi will be saved in ~/.acme.sh/account.conf and will be reused when needed.

51. Use netcup DNS API to automatically issue cert
First you need to login in your CCP account to get your API Key and API Password.

export NC_Apikey="<Apikey>"
export NC_Apipw="<Apipassword>"
export NC_CID="<Customernumber>"
Now, let's issue a cert:

./acme.sh --issue --dns dns_netcup -d example.com -d *.example.com
The NC_Apikey,NC_Apipw and NC_CID will be saved in ~/.acme.sh/account.conf and will be reused when needed.

52. Use GratisDNS.dk
Removed

53. Use Namecheap
You will need your namecheap username, API KEY (https://www.namecheap.com/support/api/intro.aspx) and your external IP address (or a URL to get it), this IP will need to be whitelisted at Namecheap. Due to Namecheap's API limitation all the records of your domain will be read and re applied, make sure to have a backup of your records you could apply if any issue would arise.

export NAMECHEAP_USERNAME="..."
export NAMECHEAP_API_KEY="..."
export NAMECHEAP_SOURCEIP="..."
The NAMECHEAP_SOURCEIP can either be an IP address or a URL to provide it (e.g. https://ifconfig.co/ip).

The username and password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Now you can issue a certificate.

./acme.sh --issue --dns dns_namecheap -d example.com -d *.example.com
Report any bugs or issues here

54. Use MyDNS.JP API
First, register to MyDNS.JP and get MasterID and Password.

export MYDNSJP_MasterID="<MasterID>"
export MYDNSJP_Password="<Password>"
To issue a certificate:

./acme.sh --issue --dns dns_mydnsjp -d example.com -d *.example.com
The MYDNSJP_MasterID and MYDNSJP_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

55. Use hosting.de API
Create an API key in your hosting.de account here: https://secure.hosting.de

The key needs the following rights:

DNS_ZONES_EDIT
DNS_ZONES_LIST
Set your API Key and endpoint:

export HOSTINGDE_APIKEY='xxx'
export HOSTINGDE_ENDPOINT='https://secure.hosting.de'
The plugin can also be used for the http.net API. http.net customers have to set endpoint to https://partner.http.net.

Ok, let's issue a cert now:

./acme.sh --issue --dns dns_hostingde -d example.com -d *.example.com
The hosting.de API key and endpoint will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

56. Use Neodigit.net API
export NEODIGIT_API_TOKEN="<token>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_neodigit -d example.com -d *.example.com
Neodigit API Token will be saved in ~/.acme.sh/account.conf and will be used when needed.

57. Use Exoscale API
Create an API key and secret key in the Exoscale account section

Set your API and secret key:

export EXOSCALE_API_KEY='<api key>'
export EXOSCALE_SECRET_KEY='<secret key>'
Now, let's issue a cert:

./acme.sh --issue --dns dns_exoscale -d example.com -d *.example.com
The EXOSCALE_API_KEY and EXOSCALE_SECRET_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

58. Using PointHQ API to issue certs
Log into PointHQ account management and copy the API key from the page there.

export PointHQ_Key="apikeystringgoeshere"
exportPointHQ_Email="accountemail@yourdomain.com"
You can then issue certs by using:

./acme.sh --issue --dns dns_pointhq -d example.com -d *.example.com
Report any bugs or issues here

59. Use Active24 API
Create an API token in the Active24 account section, documentation on https://faq.active24.com/cz/790131-REST-API-rozhran%C3%AD.

Set your API token:

export ACTIVE24_Token='<token>'
Now, let's issue a cert, set dnssleep for propagation new DNS record:

./acme.sh --issue --dns dns_active24 -d example.com -d *.example.com --dnssleep 1000
The ACTIVE24_Token will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

60. Use do.de API
Create an API token in your do.de account (Create token here | Documentation).

Set your API token:

export DO_LETOKEN="<token>"
To issue a certificate run:

./acme.sh --issue --dns dns_doapi -d example.com -d *.example.com
The API token will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

61. Use Nexcess API
First, you'll need to login to the Nexcess.net Client Portal and generate a new API token.

Once you have a token, set it in your system's environment:

export NW_API_TOKEN="YOUR_TOKEN_HERE"
export NW_API_ENDPOINT="https://portal.nexcess.net"
Finally, we'll issue the certificate: (Nexcess DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)

./acme.sh --issue --dns dns_nw -d example.com -d *.example.com --dnssleep 900
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

62. Use Thermo.io API
First, you'll need to login to the Thermo.io Client Portal and generate a new API token.

Once you have a token, set it in your system's environment:

export NW_API_TOKEN="YOUR_TOKEN_HERE"
export NW_API_ENDPOINT="https://core.thermo.io"
Finally, we'll issue the certificate: (Thermo DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)

./acme.sh --issue --dns dns_nw -d example.com -d *.example.com --dnssleep 900
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

63. Use Futurehosting API
First, you'll need to login to the Futurehosting Client Portal and generate a new API token.

Once you have a token, set it in your system's environment:

export NW_API_TOKEN="<YOUR_TOKEN_HERE>"
export NW_API_ENDPOINT="https://my.futurehosting.com"
Finally, we'll issue the certificate: (Futurehosting DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)

./acme.sh --issue --dns dns_nw -d example.com -d *.example.com --dnssleep 900
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

64. Use Rackspace API
Set username and API key, which is available under "My Profile & Settings"

export RACKSPACE_Username="<username>"
export RACKSPACE_Apikey="<key>"
Now, let's issue a cert:

./acme.sh --issue --dns dns_rackspace -d example.com -d *.example.com
Report any bugs or issues here

65. Use Online API
Note: the online.net was renamed to scaleway.com and is the same as one.com

First, you'll need to retrieve your online.net API key, which is available under https://console.online.net/en/api/access

export ONLINE_API_KEY='<key>'
To issue a cert run:

./acme.sh --issue --dns dns_online -d example.com -d *.example.com
ONLINE_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

66. Use MyDevil.net
Make sure that you can execute own binaries:

devil binexec on
Install acme.sh, or simply git clone it into some directory on your MyDevil host account (in which case you should link to it from your ~/bin directory).

If you're not using private IP and depend on default IP provided by host, you may want to edit crontab too, and make sure that acme.sh --cron is run also after reboot (you can find out how to do that on their wiki pages).

To issue a new certificate, run:

./acme.sh --issue --dns dns_mydevil -d example.com -d *.example.com
After certificate is ready, you can install it with deploy command.

Report any bugs or issues here

67. Use Core-Networks API to automatically issue cert
First you need to login to your Core-Networks.de account to set up an API-User. Then export username and password to use these credentials.

export CN_User="<user>"
export CN_Password="<password>"
Ok, let's issue a cert now:

./acme.sh --issue --dns dns_cn -d example.com -d *.example.com
The CN_User and CN_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

68. Use NederHost API
Create an API token in Mijn NederHost.

Set your API key:

export NederHost_Key='xxx'
To issue a certificate run:

./acme.sh --issue --dns dns_nederhost -d example.com -d *.example.com
Report any bugs or issues here

69. Use Zone.ee DNS API
First, you'll need to retrieve your API key. Estonian instructions https://help.zone.eu/kb/zoneid-api-v2/

export ZONE_Username=yourusername
export ZONE_Key=keygoeshere
To issue a cert run:

./acme.sh --issue --dns dns_zone -d example.com -d *.example.com
ZONE_Username and ZONE_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

70. Use UltraDNS API
UltraDNS is a paid for service that provides DNS, as well as Web and Mail forwarding (as well as reporting, auditing, and advanced tools).

More information can be found here: https://www.security.neustar/lp/ultra20/index.html

The REST API documentation for this service is found here: https://portal.ultradns.com/static/docs/REST-API_User_Guide.pdf

Set your UltraDNS username, and password; these would be the same you would use here:

https://portal.ultradns.com/ - or if you create an API only user, that username and password would be better utilized.

export ULTRA_USR="<username>"
export ULTRA_PWD="<password>"
To issue a cert run:

./acme.sh --issue --dns dns_ultra -d example.com -d *.example.com
ULTRA_USR and ULTRA_PWD will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

71. Use deSEC.io
Sign up for deSEC.io dynDNS at https://desec.io first.

Set your API token (password) by generating one from your account on desec.io. It's also a good idea to restrict the IPv4 / IPv6 address(es) it can be used from.

export DEDYN_TOKEN="<token>"
To issue a certificate run:

./acme.sh --issue --dns dns_desec -d foobar.dedyn.io -d *.foobar.dedyn.io
Report any bugs or issues here

72. Use OpenProvider API
First, you need to enable API access and retrieve your password hash on https://rcp.openprovider.eu/account/dashboard.php

export OPENPROVIDER_USER="<username>"
export OPENPROVIDER_PASSWORDHASH="<hash>"

./acme.sh --issue --dns dns_openprovider -d example.com -d *.example.com
OPENPROVIDER_USER and OPENPROVIDER_PASSWORDHASH will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

73. Use MaraDNS API
Make sure you've configured MaraDNS properly and set up a zone file for your domain. See csv2(5).

Set the path to your zone file, and path to duende's pid file. See, duende(8) or ps -C duende o pid,cmd). The pid file is used to ask duende to reload the configuration automatically after DNS records are added.

export MARA_ZONE_FILE="/etc/maradns/db.domain.com"
export MARA_DUENDE_PID_PATH="/run/maradns/etc_maradns_mararc.pid"
Ensure that the acme.sh process has write access to the zone file and read access to the pid file.

Issuing a certificate:

./acme.sh --issue --dns dns_maradns -d example.com -d *.example.com
MARA_ZONE_FILE and MARA_DUENDE_PID_PATH will be saved in ~/.acme.sh/account.conf and will be reused when needed.

Report any bugs or issues here

74. Use Hetzner API
Get the API Token: Use dnsConsole to create your hetzner api token.

Issuing a certificate (using LetsEncrypt):

export HETZNER_Token="<token>"
./acme.sh --issue --dns dns_hetzner -d example.com -d *.example.com --server letsencrypt
Report any bugs or issues here

75. Use DDNSS.de API
First create an account at https://ddnss.de. After that create a new host record. In the definition for the host make sure to set the checkbox for "Wildcard" and for "TXT".

Note your Api Key (aka "Update Key") displayed at ddnss.de and export in DDNSS_Token variable

export DDNSS_Token="<token>"
**Note: Every Cert needs it own Update Key, if you already use the Update Key please generate a new one and export to DDNSS_Token before issue a new Cert. **

After that you can issue a new certificate:

./acme.sh --issue --dns dns_ddnss -d example.com -d *.example.com
Report any bugs or issues here

76. Use NLnetLabs NSD
You need to export two variables. Your zonefile which the script will automatically edit:

export Nsd_ZoneFile="/etc/nsd/zones/example.com.zone"
And something that calls the nsd-control reload command, either via a script:

export Nsd_Command="/usr/local/bin/sign-and-update.sh example.com"
or directly:

export Nsd_Command="sudo nsd-control reload example.com"
The variables are saved per-domain, not per-account.

To issue a new certificate, run:

./acme.sh --issue --dns dns_nsd -d example.com -d *.example.com
Report any bugs or issues here

More APIs see here...

Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/

如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢

Footer
© 2023 GitHub, Inc.
Footer navigation
Terms
Privacy
Security
Status
Docs
Contact
Manage cookiesDo not share my personal information