Autorenewal of --manual certificates with BIND server and Apache (dns-challenge)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --server --manual --preferred-challenges dns -d 'electroman,*'

It produced this output:
Successfully received certificate.

My web server is (include version): Apache/2.4.57 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 12 (bookworm) (GNU/Linux 6.1.21-v8+ aarch64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.1.0

I have already set up Certbot (not snap or docker container) and am able to get a certificate when I manually issue the above command, and am able to edit my BIND DNS records manually.

The question I have, after looking extensively through Google, etc., is how do I set up an automatic script to edit my DNS zones files which automatically interacts with the Letsencrypt servers to edit my Apache web server config, and BIND DNS server zone files to insert the TXT records which the Certbot verification requires for my certificates to be automatically created and renewed?

I've seen the and example scripts, but the only examples I've seen out there are for using Cloudflare as the DNS provider.

Is there some sort of example script for this situation for running on an Apache2 web server, and running a BIND DNS server on Debian? Maybe Debian is a little too specific, and not really required, but with quite a lot of Internet-facing domain names, the manual process... CLI command, then TXT string received, edit BIND zone records with zone record serial number incrementing, named-checkzone command for that domain zone record, followed by reloading BIND, and then continuing the certbot program prompt after this... it is a process which is quite tedious... multiplied by however many domain names need certificates.

If someone could provide an example script for the and the for this scenario, or something generic even, but which involves automatically interacting with the Apache web server and BIND server files on the same server, instead of just issuing a remote command to some other DNS server for a domain record change, it would be MUCH appreciated! Even just pointing me in the right direction would do better than trying to modify the example Cloudflare automation script.

Thanks for any help!

1 Like

See for ideas.


Thank you!
Also, I had completely forgotten about acme-dns-certbot, see How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot , which may be the route I want to go again.


I don't use this myself but I think this would work too


Yup, BIND works perfectly with RFC 2136 with that official Certbot plugin. I use it myself :slight_smile:

I would recommend using certbot-dns-rfc2136. You can fine-tune the permissions you give the Certbot key in your BIND configuration, so it doesn't necessarily mean a big security risk. Not bigger than acme-dns IMO.


Okay, great! I'd prefer to go with a Certbot plugin, rather than a different solution. I think I had remembered doing the acme-dns-certbot route in the beginning (awhile ago) which I had run across in a DigitalOcean post, but I'll look into undoing that, and implementing this. Thanks for the help everyone!


Well, there's nothing wrong with acme-dns-certbot, at least, if you're running your own acme-dns instance :slight_smile: Depending on the setup it might be the most secure implementation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.