Quick question about DNS challenges

Good morning -

I know that to use the DNS challenge, I have to set up a TXT record. Does that TXT record need to be modified with a new challenge when my certificate comes up for renewal?

I’m asking because I want to create a tool to automate the setup of the DNS records using the DNS Made Easy API.


1 Like

Short answer: Yes.

Longer answer: Authorizations are valid for a certain amount of time. Currently 60 days, last i heard, but likely to fall in the future. If you reissue your certificate within that window (using the same account, and not forcing a new authorization), you won’t have to jump through the validation hoops again.

At a glance, the clients acme.sh and getssl (using lexicon) both support the DNS Made Easy API.

It ought to be easy to adapt or write a manual hook for Certbot, but i don’t know if one exists yet.


Yes, it needs a new “token” in the TXT record every time (although Let’s Encrypt does currently remember authentication for 60 days, so you may not need to verify the domain again for the first renewal)

1 Like

Ok. Thanks. And this is now the second time someone has suggested I use getssl (the first time was a response in a different thread). So I am definitely going to check it out. :slight_smile:

Also if you’re interested in an example of a Certbot plugin that implements the DNS challenge with automated updates for Route53: https://github.com/certbot/certbot/pull/4174. You can probably copy some of that work to make a Certbot plugin for the DNS Made Easy API if you’re interested.

1 Like

@jsha jsha

how many DNS providers are currently supported by certbot

One of the other Python Implementations i believe has a few as well

Was wondering if there was a way to shorten the cycle and get the “common ones” in

Currently, none. The Route53 plugin would be the first. However, once there’s an example of how to do it, it’s easier to add others.

i have been tracking this project https://github.com/AnalogJ/lexicon

quite a cool idea

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.