acme.sh-dns

Issue certificate using Cloudflare DNS

$ export CF_Token="[token]" && acme.sh --issue -d [example.com] --dns dns_cf

$ export AWS_ACCESS_KEY_ID="[key]" && export AWS_SECRET_ACCESS_KEY="[secret]" && acme.sh --issue -d [example.com] --dns dns_aws

$ export DO_API_KEY="[token]" && acme.sh --issue -d [example.com] --dns dns_dgon

$ acme.sh --issue -d [example.com] -d [*.example.com] --dns dns_cf

acme.sh --issue -d domain --dns dnsprovider [options_]

acme.sh DNS mode enables automated certificate issuance using DNS-01 validation. This method proves domain ownership by creating a specific TXT record in the domain's DNS zone. It's required for wildcard certificates and useful when HTTP validation isn't possible.
The tool supports over 100 DNS providers through API integration. Credentials are typically provided via environment variables, and acme.sh handles creating and removing the validation records automatically.

--dns provider

DNS provider plugin name (dnscf, dnsaws, dnsgd, dnsali, etc.)

Seconds to wait for DNS propagation (default: automatic)

Use alias domain for DNS validation (CNAME delegation)

Domain name (repeat for wildcards: -d example.com -d *.example.com)

dns_cf

Cloudflare (CFToken or CFKey + CF_Email)

AWS Route53 (AWSACCESSKEYID + AWSSECRETACCESSKEY)

GoDaddy (GDKey + GDSecret)

DigitalOcean (DOAPIKEY)

Aliyun/Alibaba Cloud (AliKey + AliSecret)

Google Cloud DNS (CLOUDSDKACTIVECONFIG_NAME)

Linode (LINODEV4API_KEY)

OVH (OVHAK + OVHAS + OVH_CK)

API credentials are stored in account.conf for automatic renewal. DNS propagation can take time; increase --dnssleep if validation fails. Some providers have rate limits on API calls. API token permissions should be limited to DNS management only.

DNS validation support was added to acme.sh in 2016 following the ACME protocol specification. The number of supported DNS providers has grown substantially, with community contributions adding new providers regularly.

acme.sh(1), certbot(1), dig(1), nslookup(1)