Just a quick warning:
Depending on your DNS provider, it can be incredibly dangerous to automate certbot/LetsEncrypt renewal via DNS-01 challenges, as the auth token must be available in plaintext and most providers offer too much control via their APIs. A compromised machine could result in all host records being changed, or (with some providers) a change in domain registrant details or even an outright domain transfer.
Ways to mitigate this are:
- do not store the auth token, and trigger the renewal manually
- run the renewal on a machine that is not on the public internet, and sftp/scp the certificates onto your server
- run an instance of
acme-dns, delegate your _acme-challenge to it, and automate the process with that.