The difficulty with --manual
and manually editing DNS records, is that Certbot needs to be able to perform that same task automatically.
You need an authentication script which will automatically do the equivalent steps of logging into your DNS provider and adding the required TXT records, at every renewal.
How to do that largely depends on who your DNS provider is and how easy they make that process. See also: DNS providers who easily integrate with Let's Encrypt DNS validation.
Here are some things to consider:
- Do you really need to use DNS validation? Sometimes, the answer is yes. But it's worth thinking about whether a simpler way to get a Let's Encrypt certificate.
- If you are using DNS validation because you want a wildcard certificate, reconsider whether a non-wildcard certificate with multiple names on it would also work. They are much simpler to obtain.
- Can you move to a DNS host for which an integration already exists in an ACME client, like Certbot or acme.sh or lego or something else?