SSL certificates via DNS: automating Let’s Encrypt issuance
2025-10-06
Introduction
Let’s Encrypt is the standard for obtaining free TLS certificates. Most often certificates are issued via the HTTP-01 method, which requires a reachable web server on port 80. However, for internal services or wildcard certificates (for example, *.example.com) it is more convenient to use DNS-01, which verifies domain ownership via TXT records in DNS and does not require open ports.
This article covers:
- Issuing certificates via the Cloudflare API,
- Issuing certificates via Amazon Route 53 (AWS),
- Integration with web servers Nginx, HAProxy and Traefik,
- Automation of certificate renewal.
Note: Instructions are relevant for Certbot 2.x, acme.sh 3.x, Nginx 1.18+, HAProxy 2.4+, Traefik 2.x on Linux (Ubuntu/Debian). For other OSes or tool versions adjustments may be required.