Get token to manually update DNS records



I want to create my own script to update my DNS, to renew wildcard certificates, for several reasons.

I got everything working. But I’m stuck here: I want to run some command that will will return the token, so, I’ll grab this token, update my DNS and then run certbot to check the token and renew.

  1. run something to get the token for domain (*
  2. run my script that will update Bind zone file and reload the zone
  3. run certbot, since the new token is ready to be read on my DNS

I miss something or this is not possible?
Any ideias? Thanks.



You are missing something… The sequence.

Let’s encrypt can’t generate the token before you create a request.
So the correct steps:

  1. run certbot… get the token
  2. token sent to script
  3. script update the DNS bind server
  4. finish the challenge.

You’ll need to specify the renew (update) script in --manual-auth-hook and there should be a script associated with --manual-cleanup-hook

Thank you


Certbot has a plugin to update DNS records via RFC 2136 dynamic updates. (It’s not easy to install on all OSes, though.)

What do you think of using that to interact with BIND?


Hi Steven,

yes, I understand, but when I run certbot, it shows me the token, ask to update the DNS and then press enter to continue. So, it keeps running, waiting “enter” key. What I need is run certbot twice, one for generate the token (request), closing the execution, run my script, and then certbot again. So, 3 steps in a Linux bash file.

I know about plugins to authenticate on CloudFlare, DigitalOcean, etc, but I need to do this by my own, because my domain is integrated to my system.

That’s the point I’m stuck if is possible or not. Or… how can I call my own API, that certbot will run itself?


Hmmmm, dns_rfc2136 looks a very interesting way to do the same thing… I can automate using Bind.

Thanks a lot, I didn’t know about it. I’ll study.


But --manual-auth-hook completely substitutes for displaying the token interactively and asking you to press enter! Instead, it runs a script that you specified and provides it with the token via an environment variable. As soon the the script exits, Certbot assumes that the script has correctly set up the challenge and therefore doesn’t prompt you interactively at all.

The --manual-auth-hook feature is designed for exactly the kind of use case that you’re describing.


Perfect, Schoen, thank you for the tip. I think this is what I was looking for.

I’m a bit new on Let’s Encrypt. Thanks for the patience.


You should read this part of the certbot documentation about the hooks:

It explains how the token is provided to the script (as a variable et cetera).

If you have any trouble, please let us know.


Perfect, Osiris, thank you very much, I’ll study and do some tests.


Hello, my script is running fine, but I have 2 questions.

  1. I need to clean up the record? Any real risk to keep it in the zone file?

_acme-challenge 300 IN TXT “ptvjIJzfKtZlUXGEVVBPFjES2l9M…”

  1. When I ran for the first time, it asked:

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y

I’m afraid to stuck on this in a cron job:"

36 0 */80 * * /opt/letsencrypt/certbot-auto certonly --manual --preferred-challenges=dns --manual-auth-hook /inweb/inweb-wildcard -d *

Thank you.


The record has no further use after the validation has completed. You can delete it. Leaving it around doesn’t do any harm.

If you let dozens and dozens of records build up, eventually that will cause DNS resolution problems.

There are at least three different answers to that:

As you said, it was only the first time. Certbot won’t ask again.

You can pass the --manual-public-ip-logging-ok option to Certbot to answer yes and stop it from prompting you.

You can have your cron job simply run “certbot renew”. For example (derived from the Debian package):

0 */12 * * * perl -e 'sleep int(rand(43200))' && /opt/letsencrypt/certbot-auto renew

(Let’s Encrypt does not in fact log IPs publicly at this time. They might do so in the future.)


Hello @mnordhoff, perfect, thanks a lot for the information!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.