DNS providers who easily integrate with Let's Encrypt DNS validation

In the spirit of Web Hosting who support Let's Encrypt and CDN Providers who support Let's Encrypt, I wanted to compile a list of DNS providers that feature a workflow (e.g. an API and existing ACME client integrations) that is a good fit for Let's Encrypt's DNS validation.

It should serve as a signpost for those who want to use DNS validation (wildcards, firewall problems) and are looking for an automatic solution.

FYI: The DNS hosts listed here are ones that are confirmed to support automated certificate issuance and renewal with existing ACME clients. Although it is technically possible to issue and renew certificates by manually updating TXT records every 60-90 days, it is not a recommended way to use Let's Encrypt DNS validation.

FYI: Your DNS host is not the same place where you register your domain (but it can be). Your DNS host is where you manage your DNS records and where your domain's nameservers point. You can change DNS hosting at any time, for free.

Criteria for inclusion:

  1. It must support automation for all users (i.e. it has an API and the API is not restricted to certain users)
  2. At least one ACME client must support it (indirect support like Lexicon is OK) or a published hook for an ACME client must exist for it
  3. DNS updates must apply reasonably quickly: within 30 minutes

The List

DNS Hosting Provider ACME Client Support Cost
Akamai Edge DNS Certbot, lego, Posh-ACME , acme.sh Contract Specific
Aliyun (CN) & Alibaba Cloud DNS (EN) acme.sh, lego, Posh-ACME Bundled with domain registration or Cloud DNS pricing
Amazon Route53 Certbot, acme.sh, others ~$0.50/mo per domain
Azure DNS acme.sh, lego, Posh-ACME ~$0.50/mo per domain
Cloudflare Certbot, acme.sh, others Free (except for Freenom domains)
ClouDNS acme.sh, lego, Posh-ACME, others >= $2.95/mo (with API-support)
CloudXNS Certbot, acme.sh, lego Free, Chinese only
deSEC Certbot, acme.sh, others Free
DigitalOcean Certbot, acme.sh, others Free
DNS Made Easy Certbot, acme.sh, others $59.95/yr (Business Membership gives API access)
DNSimple Certbot, acme.sh, others $5/mo
DNSPod.com acme.sh, lego, Posh-ACME Free
DuckDNS acme.sh, lego, others Free
Dyn acme.sh, lego, others $7/mo
Dynu acme.sh, lego, Posh-ACME Free
EasyDNS acme.sh, lego, Posh-ACME Bundled with domain registration (250k queries/month) or $20/yr for 1 MM queries/month
FreeDNS/afraid.org acme.sh, Posh-ACME (no API, HTTP emulation) Free (if you share your domain with others)
Google Cloud DNS Certbot, acme.sh, others ~$0.20/mo
Hetzner lego, Posh-ACME Free
Hurricane Electric acme.sh, Posh-ACME (no API, HTTP emulation) Free
IBM Cloud DNS Posh-ACME $275/mo per domain for Standard plan
Luadns Certbot, acme.sh, others Free
MyDNS.jp acme.sh, lego Free
NS1 Certbot, acme.sh, others ? (Free "developer" plan)
Open Telekom Cloud lego 0,36 €/mo per zone
OVH Certbot, acme.sh, others Free
PointHQ acme.sh, Posh-ACME $25/mo per 10 domains
Rackspace Cloud DNS acme.sh, lego, Posh-ACME, others Free
Selectel acme.sh, lego, Posh-ACME Free
Shellrent Certbot, acme.sh 1, €/y per zone
StackPath lego $10/mo
Vultr acme.sh (via Lexicon), lego, others Free
Yandex.Mail acme.sh, lego, Posh-ACME Free
Zilore acme.sh $5/mo or higher for API access
Zonomi acme.sh, lego, Posh-ACME Free
Domain Registrar: Active24 acme.sh Bundled with domain registration
Domain Registrar: alwaysdata acme.sh Bundled with domain registration
Domain Registrar: ConoHa acme.sh, lego Bundled with domain registration (Japanese)
Domain Registrar: cyon.ch acme.sh Bundled with domain registration
Domain Registrar: do.de acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: domeneshop acme.sh, Posh-ACME Bundled with domain registration
Domain Registrar: DreamHost acme.sh, lego, Posh-ACME ? (bundled with domain registration or hosting?)
Domain Registrar: Euserv acme.sh Bundled with domain registration
Domain Registrar: Exoscale acme.sh, lego Bundled with domain registration
Domain Registrar: Futurehosting acme.sh Bundled with domain registration
Domain Registrar: Gandi acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: GoDaddy acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: GratisDNS.dk acme.sh Bundled with domain registration (Danish)
Domain Registrar: hosting.de acme.sh, lego Bundled with domain registration (German)
Domain Registrar: internetx.com acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: inwx.de acme.sh, lego Bundled with domain registration
Domain Registrar: Loopia.se acme.sh, Posh-ACME Bundled with domain registration (Swedish)
Domain Registrar: name.com acme.sh, lego, Posh-ACME Bundled with domain registration
Domain Registrar: Namesilo Certbot, acme.sh, lego Bundled with domain registration
Domain Registrar: Neodigit.net acme.sh Bundled with domain registration (Spanish)
Domain Registrar: netcup acme.sh, lego Bundled with domain registration
Domain Registrar: Nexcess acme.sh Bundled with domain registration
Domain Registrar: Online.net acme.sh Bundled with domain registration
Domain Registrar: reg.ru (reg.com) acme.sh, lego, Posh-ACME Bundled with domain registration (Russian)
Domain Registrar: Servercow acme.sh, lego Bundled with domain registration (German)
Domain Registrar: TELE3 acme.sh Bundled with domain registration (Czech)
Domain Registrar: UnoEuro acme.sh, Posh-ACME Bundled with domain registration
Domain Registrar: Zone.eu acme.sh, lego Bundled with domain registration
Web Host: KingHost acme.sh Free (adult-only web host)
Web Host: Linode Certbot, acme.sh, others Bundled with hosting
Web Host: Thermo.io acme.sh Variable hosting fee
Self-Hosted: acme-dns Certbot, acme.sh, others Free, Open Source
Self-Hosted: BlueCat Posh-ACME Enterprise DDI (Contract Specific)
Self-Hosted: cPanel Certbot $20/mo licence or variable cost for shared cPanel hosting
Self-Hosted: DirectAdmin acme.sh Free
Self-Hosted: Infoblox acme.sh, Posh-ACME Enterprise DDI (Contract Specific)
Self-Hosted: ISPConfig acme.sh Free
Self-Hosted: Knot (knsupdate) acme.sh Free, Open Source
Self-Hosted: PowerDNS acme.sh, lego Free, Open Source
Self-Hosted: Simple DNS Plus Posh-ACME $79 for 5 zone license
Self-Hosted: Windows DNS Posh-ACME Free with Windows Server OS license

Wiki instructions:

Please list DNS Hosting providers first by their type ('DNS Host', 'Domain Registrar', 'Web Host' or 'Self-Hosted') and then alphabetically.

For the 'Cost' column, please include the lowest cost to host a zone where any ACME client can perform automatic DNS validation.

For the 'ACME Client Support' column, feel free to include other ACME clients, but please make a reasonable and honest effort to keep the order of the clients in descending popularity (e.g. Certbot should always be first). Covering all platforms (UNIX-likes + Windows) is a good target also.

NameCheap is intentionally not included because they do not open API access unless some opaque requirements are met (spend at least $x), failing the first criteria.

14 Likes

acme.sh supported more than 60 dns apis:

I think you can add more here.

Thanks.

2 Likes

There are quite a few listed that are non-English, I would appreciate it if native speakers would be able to confirm cost and absence of other conditions to API access. The post is a wiki that anybody can edit.

2 Likes

Oh, I didn’t noticed that everyone can edit your post.

I will edit it soon.

Thanks.

2 Likes

Hi @_az

Where can I find the full dns support list of certbot ?

Thanks.

I’m not sure what the official reference is - I just looked at the certbot-dns-* directories in https://github.com/certbot/certbot/tree/master/ . I have not included every one of them, as they were also in other languages and I wasn’t able to confirm their nature.

Hi @_az ,
I just added some, would you please take a look?
please let me know if you have any thoughts.

I will add more later.

Thanks.

1 Like

Linode’s DNS service is no extra cost for customers, but not available for free in general like something like dns.he.net.

2 Likes

Thanks

Thanks a lot. If you do not mind, I moved all the “selfhosted” software to the bottom of the list, since they are not really DNS Providers. But if you think they are worth including then that sounds OK to me.

Also, is the “reseller-only” comment about do.de accurate? I notice that acme.sh implements do.de twice - once for reseller API, once for consumer API. Is that the right interpretation?

2 Likes

ahhhh, yes, you are correct. I just removed the comment.
Thanks

1 Like

Just another question: It will be better to add the providers not in alphabetically.
You know it’s really a pain to add 60+ providers alphabetically.
I would suggest to just append to the end.
what do you think?

I think it helps readability a lot. I’ll be happy to sort them occasionally if you want to just append to end.

That will be good.

but I don’t agree with you that it help a lot about the readability.
If I were a user to check the list, I won’t read the list(It’s also a pain to READ such a list, even alphabetically, the list will be too loooooong to read, just try it), instead, I just press Ctrl+F and search my dns provider name.

Let me know what you think.
Thanks.

The Aliyun entry indicates it is Chinese only. However, Alibaba Cloud DNS appears to be the english equivalent site. The URL for the DNS management console (for example) is https://dns.console.aliyun.com/#/dns/domainList (and ultimatley what I used to develop Posh-ACME’s plugin for it).

Not sure if that means we should remove “Chinese Only” or add something like “English supported via Alibaba Cloud”.

Is the “Domain Registrar” tag supposed to imply it’s primarily or only a domain registrar or just that it happens to provide registrar services as well?

P.S. Thanks for this! It has been sorely needed for some time.

2 Likes

The thought occurs to me that it might help to separate providers that are basically just Domain Registrars with an API versus everyone else. These tend to be less useful to potential LE users because it requires either buying the domain directly from them or at least transferring the domain to them which can be a bit of a hassle (particularly if you’re trying to help a another person move to that provider).

It might also be useful to differentiate between providers whose primary business is DNS hosting versus more generic cloud providers who happen to have a DNS hosting option. But that’s probably less important. The main distinction should probably be whether you can simply point NS records from your existing registrar to this provider or whether you have to do a domain transfer in order to get your zone hosted with them.

Dynamic DNS providers where you must use their domain name might also be a useful separation.

(Man, this is why I never started a thread like this myself…too many complications)

1 Like

Yeah! That’s what I wanted to achieve. :cold_sweat:. Any reader should be able to show up to the thread and pick out a new DNS provider for their domain without strings attached.

ISTM everything like DuckDNS, Yandex.Mail, StackPath etc should be removed, along with all the self-hosted stuff, and arguably all the registrars and web hosts too. Otherwise the list is just a compatibility matrix. But I’m afraid to pull the plug on that so early on.

Thanks, re-organized it and added English links.

I notice that every entry (with two exceptions, StackPath and cPanel) is supported by acme.sh. In the interest of simplifying the list, might it be better to note something like “unless noted otherwise, all of the following are supported by acme.sh”, and then removing it from the relevant entries?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.