Windows with custom acme-dns

My domain is: custom

I ran this command: certbot certonly --manual --preferred-challenges dns -d

It produced this output: Please deploy a DNS TXT record under the name

My web server is (include version): none

The operating system is (include version): windows server 2022, no webserver, rdp connection should be covered by the ssl cert.

My hosting provider, if applicable, is: internal

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Is it possible with certbot on windows to generate a certbot certonly --manual --preferred-challenges dns with an internal acme-dns challenge, but how i specify that internal acme-dns challenge url?

So i know the details of the acme-dns like username, password and subdomaine
If cerbot is not the right way hows going true win-acme?


I have a hard time understanding your setup.

It looks like you're trying to combine Certbot and acme-dns, correct? But what is "an internal acme-dns challenge"?

Usually one would simply use GitHub - joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns or GitHub - acme-dns/acme-dns-client: A client software for (but the latter doesn't have prebuild binaries for Windows).


Or Certify The Web (link here) which also has a Certify DNS service for acme-dns. Also a friendly gui and a nice support forum.


You can't specify the actual challenge URL.
It is always uniquely generated for each challenge.
The most you can do is redirect it to:

  • another server
  • another path
  • another path on another server

But the actual file being requested will be unique and can't be changed.


Yes i'l try to use cerbot and acme-dns
I'ts like we provide our intern network and they implemented acme-dns challenge over an internal server

The DNS-01 challenge method along with acme-dns fully integrated. So thats why i would love to use that internal DNS method.

Certify The Web Nice, looks good, i'l give them a try.
So there i could select dns challenges from a list like, azure, ovh and so on.
So thats what we have internal but i don't know how to use that with certbot or another way to generate letsencrypt ssl certs, for linux we have a tutorial an use

You use Certify instead of Certbot just like you use instead of Certbot on linux


But as i'm wrote above, we have our internal dns challenge server, which i could not select from the list.

Are you referring to acme-dns or are you also running your own ACME CA server? I'm thinking the former, but I'd like to know for sure.

What options do you have?


We refer to the letsencrypt as CA Server.
A lot but i don't know which one i should choose.
A may i can use (Use Custom Script)
So for authorization settings > DNS Update Method: (Use Custom Script)
Or may i ask our internal people to get on that list.

There shouldn't be "a lot". If I look at the Certify source code it defaults to a single value, but should be able to enter your own.

I have no idea where you're looking, so answers as "a lot" doesn't really help. Maybe you could make a screenshot of where you're looking if you can't use words?

I think you will need to talk with your internal people how to best use that method from your Windows system like you do with for linux


Hi, I'm the developer of Certify The Web.

When you have your own acme-dns server you just provide the URL to the server. That's the same for certbot or Certify The Web.

In Certify The Web, select acme-dns as your DNS provider, just enter the url. If that's not working for some reason please do let me know. If you have somehow pre-registered a domain with an acme-dns instance you can also provide the existing credentials in JSON format.

Certify DNS is a managed acme-dns style service, so you don't need that if you are hosting your own acme-dns instance.

1 Like

The Certify The Web docs for using acme-dns are here: acme-dns | Certify The Web Docs let me know if we need to improve them.

The general idea is:

  • On the authorization tab, select dns-01 and acme-dns.
  • You provide the API Url of your acme-dns service, click Request Certificate and an initial registration will happen with the acme-dns service
  • The request will pause and ask you to create the required CNAME in dns pointing to your acme-dns.
  • You then click Request Certificate again to resume your certificate order. Subsequent renewals are automatic.

(I should add, )

For reference here is the main part of the UI that deals with DNS authorization settings, as it would appear when acme-dns is selected:

For the actual deployment of your final certificate, see Deployment Tasks | Certify The Web Docs but you probably either want one of the Deploy to RDP... options, or you can use your own powershell script Scripting | Certify The Web Docs

For certificate validation to work your "internal" acme-dns service needs to be available on the public internet over TCP/UDP port 53, otherwise Let's Encrypt can't follow the CNAME to check it.

If your server is on the public internet you can just use the (very easy) http-01 validation option and open port 80, you don't need to have a web server installed as the app will answer the http challenge for you

1 Like

Of corse, you are right, Have a Look up to the Picture what [webprofusion] posted.
On that Lists what should i choose, but may its now clear.

Hi webprofusion

Thanks for the shared information.
I would say that our implementation of acme-dns challenge over dns01 is similar as ovh do.
GitHub - mcdado/win-acme-dns-ovh: Scripts for Win-Acme to allow DNS validation on OVH. Also official documented from OVH Welcome to certbot-dns-ovh’s documentation! — certbot-dns-ovh 0 documentation

So there you have to create an API toke from your account and then you reference to the API and Secret and customer key, so we have that in a similar way, we could create unique entries for every subdomaine like acme-username, password and subdomaine then that infromation will handle over your intern acme-dns servers as we have a lot of firewalls and so we don't wan't to add for every requested letsencrypt ssl cert an txt to teach subdomaine and open port 80. We could do but why if we have an easier way to use.

Any chance to have a private talk with you (webprofusion) ? I also send an email to

1 Like

Thanks, I think there is some confusion because there is a very specific type of service called "acme-dns" GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. and this might not be what you are actually using.

The OVH example you pointed to says "acme-dns" in the name, but it's nothing to do with the acme-dns standard, which is a type of DNS server built only to answer acme DNS challenges.

In that case you are correct to use the (Use Custom Script) option to call your own add/delete scripts. DNS Scripting | Certify The Web Docs

I'll respond to your support ticket. No, we don't offer phone consultancy, it's email only.

1 Like

@sweatcher So to clearify @webprofusion s suspicion: you're not using joohoi's acme-dns application?

Personally I'm very confused right now. Can you please clarify what you're actually using?

No i'm not using these, so we have our internal solution, so that we don't have to add txt entries for every subdomain request and open port 80.

I'l maybe update this thread as soon as i'll have found the solution.

What does that "internal solution" entail precisely, if it's not acme-dns?

1 Like