Install Python 3 (3.5+) and Virtual Environment support via venv.

Debian/Ubuntu:

• apt install python3 python3-venv

Windows is not supported for productive use, but can work under certain conditions:

• Normal Python installation via installer.

• MSYS/MinGW/Cygwin for bash, e.g. git for Windows (git bash).

• Pathes of config file and domain accounts file have to be defined with forward slash / instead of backslash \. Best is to use a relative path, see directory example-test-win.

Windows Subsystem for Linux (WSL) is recommended for development and testing.

Download acme-dns-client-2 and extract it to a temporary directory. Or directly git clone it to a temporary directory.
Make install.sh executable. Run it to install acme-dns-client-2 to ${PREFIX}/usr/local/bin. ${PREFIX} is useful for package maintainers of Linux distros.
It will also create an initial configuration file and/or initial domain accounts file in ${PREFIX}/etc/acme-dns-client, if any of them is missing.

Copy dns_acmednsclient2.sh to /path/to/acme.sh/dnsapi/.

Always execute acme-dns-client-2.sh. It is a wrapper shell script to create and activate the required Python Virtual Environment.
When executed without any argument it will display the main help with the possible commands.

The configuration file defaults to /etc/acme-dns-client/config.json. An alternative config file can be defined via --config. If the file is missing, then the program aborts to avoid running with a wrong configuration.

Maintain config file manually to define other values.

See the current configuration in JSON syntax via acme-dns-client-2.sh config. If a configuration entry or the config file is empty, then the defaults are shown.

The following can be configured in JSON syntax:

• default_server (string) - defines a default server to use for add/register command.
  Useful if mainly a single acme-dns server is used. Still other acme-dns servers can be used via --server.

  • default_server_path_register (string) - custom URL path to register a new domain account, defaults to register.

  • default_server_path_update (string) - custom URL path to update TXT/token for a challenge, defaults to update.

  • default_server_path_change (string) - custom URL path to change a domain account (acme-dns server must support this), defaults to change.

  • default_server_path_clean (string) - custom URL path to clean a TXT/token record (acme-dns server must support this), defaults to clean.

  • default_server_path_deregister (string) - custom URL path to deregister a domain account (acme-dns server must support this), defaults to deregister.

• nameservers (list of strings) - defines name server IPs for DNS lookups, defaults to Cloudflare and Quad9.

• accountspath (string) - defines path to domain accounts file. Professional use only.

The domain accounts file defaults to /etc/acme-dns-client/domain_accounts.json. An alternative domain accounts file can be defined via --accounts or via config file. If the file is missing, then the program aborts to avoid running with a wrong setup.

It holds all details of the registered domains in JSON syntax.
DO NOT maintain it manually.

• Use command acme-dns-client-2.sh list to list all registered domains.

• Use command acme-dns-client-2.sh show --domain <domain> to show details of a domain.

Register/Add each domain separately.

If a domain was already registered earlier and the related data is available, then use add. The password must be known as it cannot be determined from anything else. The fulldomain can be determined from the DNS CNAME record of the related challenge domain. The subdomain is part of the fulldomain. The username can be determined from the acme-dns database record for the subdomain.
Otherwise register anew. Warning! This will lead to a new DNS setup, that may break other setups.

A single registration is needed for normal and wildcard certificate entries of a domain, e.g. registration of test.example.com is also valid for *.test.example.com.

Note: --server can be omitted if default_server is defined in configuration and shall be used for the domain registration.

Use command acme-dns-client-2.sh check --domain <domain> to check the setup for a domain.
It checks the DNS CNAME record for the domain and if TXT records are delivered for it.

If the setup shall be monitored during the setup procedure, then use shell command watch -n 10 -- acme-dns-client-2.sh …​.

Tested certbot version: 2.11.0

After registration of the domains on the acme-dns server and checking their setup, request a certificate with certbot on the command line as following:

or via a certbot configuration file: certbot …​ --config <file> …​

Afterwards no special parameters are needed:

Certbot Documentation → "User Guide"

Tested acme.sh version: 3.0.7

After registration of the domains on the acme-dns server and checking their setup, request a certificate with acme.sh as following:

Do NOT define any domain alias.

Afterwards no special parameters are needed:

acme.sh Documentation Wiki

If performance is highly important for whatever reason, then check out the SPEEDUP marks in the scripts. Normally performance should not matter for retrieving and renewing certificates.

If there are any issues or ideas, then just create an issue on the project page.

acme-dns-client-2.py can be run directly, but the required modules must be available either from the system or an active Python Virtual Environment. Directly running it allows to debug the Python script within an IDE, e.g. VS Code in WSL.

Forcing execution of the manual-auth-hook script can be achieved by doing a --dry-run since certbot 0.40.

Forcing execution of the DNS API script can be achieved by clearing the "valid" status of a domain at Let’s Encrypt via the --deactivate command. Wildcard domains have their own status, so these have to be deactivated separately.

Enabling debug output can be done via --debug 1. Levels 2 and 3 are even more verbose. Use --debug 2 for bug reports.
Warning! Using --output-insecure is only recommended for private tests. Do not post any output/log where this option was enabled.