The “acme.sh –dns” command is part of the acme.sh client, which is a script used to automate the process of obtaining TLS (Transport Layer Security) certificates from Let’s Encrypt or other ACME (Automatic Certificate Management Environment) servers. The “–dns” option allows the user to use the DNS-01 challenge to issue a TLS certificate.
Here’s a breakdown of the key concepts related to the “acme.sh –dns” command:
- TLS Certificates: TLS certificates are used to secure communication between clients and servers over the internet. They enable encryption, data integrity, and authentication. The acme.sh script simplifies the process of obtaining and managing TLS certificates.
- DNS-01 Challenge: The DNS-01 challenge is one of the methods supported by the ACME protocol for validating domain ownership when requesting a TLS certificate. In this challenge, the ACME client (acme.sh) proves control over a domain by adding specific DNS records to the domain’s DNS configuration.
- DNS API Integration: When using the “–dns” option with acme.sh, the client integrates with DNS service providers’ APIs to automate the process of adding and removing DNS records required for the DNS-01 challenge. This allows for automated and programmatic management of DNS records during the certificate issuance process.
- Automated Certificate Issuance: The acme.sh script, with the “–dns” option, automates the entire process of obtaining TLS certificates using the DNS-01 challenge. It handles the generation of the necessary DNS records, performs the challenge validation with the ACME server, and retrieves the issued certificate once the validation is successful.
- Certificate Management: In addition to certificate issuance, acme.sh also provides functionality for certificate management. It can automatically renew certificates before they expire, install certificates in web servers or other applications, and perform various other certificate-related operations.
By using the “acme.sh –dns” command, users can leverage the DNS-01 challenge to issue TLS certificates in an automated and convenient manner. This method eliminates the need for manual intervention in modifying DNS records during the certificate issuance process, providing an efficient way to obtain and manage TLS certificates for domain owners.
acme.sh –dns Command Examples
1. Issue a certificate using an automatic DNS API mode:
# acme.sh --issue --dns gnd_gd --domain example.com
2. Issue a wildcard certificate (denoted by an asterisk) using an automatic DNS API mode:
# acme.sh --issue --dns dns_namesilo --domain example.com --domain *.example.com
3. Issue a certificate using a DNS alias mode:
# acme.sh --issue --dns dns_cf --domain example.com --challenge-alias alias-for-example-validation.com
4. Issue a certificate while disabling automatic Cloudflare / Google DNS polling after the DNS record is added by specifying a custom wait time in seconds:
# acme.sh --issue --dns dns_namecheap --domain example.com --dnssleep 300
5. Issue a certificate using a manual DNS mode:
# acme.sh --issue --dns --domain example.com --yes-I-know-dns-manual-mode-enough-go-ahead-please