DNS-01 can be fully automated.
If you use a commercial DNS service (or your registrar), you can use their APIs and either a provider specific Certbot plugin OR the certbot lexicon plugin. [see https://id-rsa.pub/post/certbot-auto-dns-validation-with-lexicon/ which is outdated but still informative]
If you use acme-dns (HIGHLY RECOMMENDED) then you can use the acme-dns-certbot plugin https://github.com/joohoi/acme-dns-certbot-joohoi
With acme-dns, you only need to manually setup the domain/dns during the INITIAL certificate provisioning – as that requires delegating the DNS records to the acme-dns server and account. Once that is set up, renewals are all automated.
The machine answering DNS needs to be publicly accessible (the acme-dns machine). The machine which will use the certificates do not need to be publicly accessible.
I handle internal developer certificates for our team like this, on my laptop:
- A “preflight” script is invoked, which ssh’s into a public internet server, starts the acme-dns instance, and opens up firewall traffic to it (port 53 dns and port 8*** for the REST API
- Certbot is invoked to renew, using the acme-dns plugin
- A “cleanup” script is invoked, which shuts off the acme-dns server and clears the firewall rules
The certs are then on my laptop, and I enroll them into source control for distribution [the private keys are encrypted in the source tree].
While this is currently 3 scripts which are manually invoked, it only requires copy/pasting from a text file… and could be done in 1 fully automated script.