DNS providers who easily integrate with Let's Encrypt DNS validation


#1

In the spirit of Web Hosting who support Let's Encrypt and CDN Providers who support Let's Encrypt, I wanted to compile a list of DNS providers that feature a workflow (e.g. an API and existing ACME client integrations) that is a good fit for Let’s Encrypt’s DNS validation.

It should serve as a signpost for those who want to use DNS validation (wildcards, firewall problems) and are looking for an automatic solution.

FYI: Any DNS host that supports adding TXT records can be used with Let’s Encrypt DNS validation, but the ones listed here have been confirmed to be explicitly supported by existing ACME clients.

FYI: Your DNS host is not the same place where you register your domain (but it can be). Your DNS host is where you manage your DNS records and where your domain’s nameservers point. You can change DNS hosting at any time, for free.

Criteria for inclusion:

  1. It must support automation for all users (i.e. it has an API and the API is not restricted to certain users)
  2. At least one ACME client must support it (indirect support like Lexicon is OK) or a published hook for an ACME client must exist for it
  3. DNS updates must apply reasonably quickly: within 30 minutes

The List

DNS Hosting Provider ACME Client Support Cost
Aliyun (CN) & Alibaba Cloud DNS (EN) acme.sh, lego, Posh-ACME Bundled with domain registration or Cloud DNS pricing
Amazon Route53 Certbot, acme.sh, others ~$0.50/mo per domain
Azure DNS acme.sh, lego, others ~$0.50/mo per domain
Cloudflare Certbot, acme.sh, others Free
ClouDNS acme.sh, lego, others >= $1.95/mo (with API-support)
CloudXNS Certbot, acme.sh, lego Free, Chinese only
DigitalOcean Certbot, acme.sh, others Free
dns.he.net acme.sh (no API, HTTP emulation) Free
DNS Made Easy Certbot, acme.sh, others $29.95/yr per 10 domains
DNSPod.com acme.sh, lego Free
DNSimple Certbot, acme.sh, others $5/mo
DuckDNS acme.sh, lego, others Free
Dyn acme.sh, lego, others $7/mo
Dynu acme.sh, Posh-ACME Free
FreeDNS/afraid.org acme.sh (no API, HTTP emulation) Free (if you share your domain with others)
Google Cloud DNS Certbot, acme.sh, others ~$0.20/mo
Luadns Certbot, acme.sh, others Free
MyDNS.jp acme.sh, lego Free
NS1 Certbot, acme.sh, others ? (Free “developer” plan)
OVH Certbot, acme.sh, others Free
PointHQ acme.sh $25/mo per 10 domains
Rackspace Cloud DNS acme.sh, lego, Posh-ACME, others Free
Selectel acme.sh, lego Free
StackPath lego $10/mo
Vultr acme.sh (via Lexicon), lego, others Free
Yandex.Mail acme.sh Free
Zilore acme.sh $5/mo or higher for API access
Zonomi acme.sh, Posh-ACME Free
Domain Registrar: Active24 acme.sh Bundled with domain registration
Domain Registrar: alwaysdata acme.sh Bundled with domain registration
Domain Registrar: ConoHa acme.sh, lego Bundled with domain registration (Japanese)
Domain Registrar: cyon.ch acme.sh Bundled with domain registration
Domain Registrar: do.de acme.sh, lego Bundled with domain registration
Domain Registrar: DreamHost acme.sh, lego ? (bundled with domain registration or hosting?)
Domain Registrar: Euserv acme.sh Bundled with domain registration
Domain Registrar: Exoscale acme.sh, lego Bundled with domain registration
Domain Registrar: Futurehosting acme.sh Bundled with domain registration
Domain Registrar: Gandi acme.sh, lego Bundled with domain registration
Domain Registrar: GoDaddy acme.sh, lego, others Bundled with domain registration
Domain Registrar: GratisDNS.dk acme.sh Bundled with domain registration (Danish)
Domain Registrar: hosting.de acme.sh, lego Bundled with domain registration (German)
Domain Registrar: internetx.com acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: inwx.de acme.sh, lego Bundled with domain registration
Domain Registrar: Loopia.se acme.sh Bundled with domain registration (Swedish)
Domain Registrar: name.com acme.sh, lego, others Bundled with domain registration
Domain Registrar: Namesilo Certbot, acme.sh Bundled with domain registration
Domain Registrar: Neodigit.net acme.sh Bundled with domain registration (Spanish)
Domain Registrar: netcup acme.sh, lego Bundled with domain registration
Domain Registrar: Nexcess acme.sh Bundled with domain registration
Domain Registrar: Online.net acme.sh Bundled with domain registration
Domain Registrar: Servercow acme.sh Bundled with domain registration (German)
Domain Registrar: TELE3 acme.sh Bundled with domain registration (Czech)
Domain Registrar: UnoEuro acme.sh Bundled with domain registration
Web Host: KingHost acme.sh Free (adult-only web host)
Web Host: Linode Certbot, acme.sh, others Bundled with hosting
Web Host: Thermo.io acme.sh Variable hosting fee
Self-Hosted: acme-dns Certbot, acme.sh, others Free, Open Source
Self-Hosted: cPanel Certbot $20/mo licence or variable cost for shared cPanel hosting
Self-Hosted: DirectAdmin acme.sh Free
Self-Hosted: ISPConfig acme.sh Free
Self-Hosted: Knot (knsupdate) acme.sh Free, Open Source
Self-Hosted: PowerDNS acme.sh, lego Free, Open Source

Wiki instructions:

Please list DNS Hosting providers first by their type (‘DNS Host’, ‘Domain Registrar’, ‘Web Host’ or ‘Self-Hosted’) and then alphabetically.

For the ‘Cost’ column, please include the lowest cost to host a zone where any ACME client can perform automatic DNS validation.

For the ‘ACME Client Support’ column, feel free to include other ACME clients, but please make a reasonable and honest effort to keep the order of the clients in descending popularity (e.g. Certbot should always be first). Covering all platforms (UNIX-likes + Windows) is a good target also.

NameCheap is intentionally not included because they do not open API access unless some opaque requirements are met (spend at least $x), failing the first criteria.


Wildcard certificacion with my own host and DNSs from domain provider
Wildcard dns mode dns txt record is changing?
Different method to renew certificates that don't include access to the .well-known/acme-challenge directory?
Synology NAS unable to open Port 80
Unable to renew certificates via http-01 apache2, Raspbian stretch, certbot
DNS-01 ISP Block port 80 guy [White flag]
#2

acme.sh supported more than 60 dns apis:

I think you can add more here.

Thanks.


#3

There are quite a few listed that are non-English, I would appreciate it if native speakers would be able to confirm cost and absence of other conditions to API access. The post is a wiki that anybody can edit.


#4

Oh, I didn’t noticed that everyone can edit your post.

I will edit it soon.

Thanks.


#5

Hi @_az

Where can I find the full dns support list of certbot ?

Thanks.


#6

I’m not sure what the official reference is - I just looked at the certbot-dns-* directories in https://github.com/certbot/certbot/tree/master/ . I have not included every one of them, as they were also in other languages and I wasn’t able to confirm their nature.


#7

Hi @_az ,
I just added some, would you please take a look?
please let me know if you have any thoughts.

I will add more later.

Thanks.


#8

Linode’s DNS service is no extra cost for customers, but not available for free in general like something like dns.he.net.


#9

Thanks

Thanks a lot. If you do not mind, I moved all the “selfhosted” software to the bottom of the list, since they are not really DNS Providers. But if you think they are worth including then that sounds OK to me.

Also, is the “reseller-only” comment about do.de accurate? I notice that acme.sh implements do.de twice - once for reseller API, once for consumer API. Is that the right interpretation?


#10

ahhhh, yes, you are correct. I just removed the comment.
Thanks


#11

Just another question: It will be better to add the providers not in alphabetically.
You know it’s really a pain to add 60+ providers alphabetically.
I would suggest to just append to the end.
what do you think?


#12

I think it helps readability a lot. I’ll be happy to sort them occasionally if you want to just append to end.


#13

That will be good.

but I don’t agree with you that it help a lot about the readability.
If I were a user to check the list, I won’t read the list(It’s also a pain to READ such a list, even alphabetically, the list will be too loooooong to read, just try it), instead, I just press Ctrl+F and search my dns provider name.

Let me know what you think.
Thanks.


#14

The Aliyun entry indicates it is Chinese only. However, Alibaba Cloud DNS appears to be the english equivalent site. The URL for the DNS management console (for example) is https://dns.console.aliyun.com/#/dns/domainList (and ultimatley what I used to develop Posh-ACME’s plugin for it).

Not sure if that means we should remove “Chinese Only” or add something like “English supported via Alibaba Cloud”.

Is the “Domain Registrar” tag supposed to imply it’s primarily or only a domain registrar or just that it happens to provide registrar services as well?

P.S. Thanks for this! It has been sorely needed for some time.


#15

The thought occurs to me that it might help to separate providers that are basically just Domain Registrars with an API versus everyone else. These tend to be less useful to potential LE users because it requires either buying the domain directly from them or at least transferring the domain to them which can be a bit of a hassle (particularly if you’re trying to help a another person move to that provider).

It might also be useful to differentiate between providers whose primary business is DNS hosting versus more generic cloud providers who happen to have a DNS hosting option. But that’s probably less important. The main distinction should probably be whether you can simply point NS records from your existing registrar to this provider or whether you have to do a domain transfer in order to get your zone hosted with them.

Dynamic DNS providers where you must use their domain name might also be a useful separation.

(Man, this is why I never started a thread like this myself…too many complications)


#16

Yeah! That’s what I wanted to achieve. :cold_sweat:. Any reader should be able to show up to the thread and pick out a new DNS provider for their domain without strings attached.

ISTM everything like DuckDNS, Yandex.Mail, StackPath etc should be removed, along with all the self-hosted stuff, and arguably all the registrars and web hosts too. Otherwise the list is just a compatibility matrix. But I’m afraid to pull the plug on that so early on.

Thanks, re-organized it and added English links.


#18

I notice that every entry (with two exceptions, StackPath and cPanel) is supported by acme.sh. In the interest of simplifying the list, might it be better to note something like “unless noted otherwise, all of the following are supported by acme.sh”, and then removing it from the relevant entries?