Skip to content
This is a fork of acme-tiny to provide Let's Encrypt issue and renew certificates using the DNS challenges. The github repository is a mirror of Gitlab main repo:
Branch: master
Clone or download
Pull request Compare This branch is 244 commits ahead, 61 commits behind diafygi:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
tests config_factory: let python close the openssl.cnf when finished to use it Oct 28, 2018
Makefile add a Makefile to run locally integration tests Oct 27, 2018 adt: accept to process orders already ready Oct 27, 2018


build status coverage status

This is a tiny, auditable script that you can throw on any secure machine to issue and renew Let's Encrypt certificates with DNS validation.

Since it has to have access to your private ACME account key and the rights to update the DNS records of your DNS server, this code has been designed to be as tiny as possible (currently less than 300 lines).

The only prerequisites are Python 3, OpenSSL and the dnspython module.

For the dnspython module, be aware that it won't work with release 1.14.0, because this one have a bug with dynamic DNS updates. You should either use an older version from dnspython3 module (python3 specific code) or any release of dnspython module (pyhton2 and python3 merged code) since 1.15.0.


Note: this script is a fork of the acme-tiny project which uses ACME HTTP verification to create signed certificates.


If this script is useful to you, please donate to the EFF. I don't work there, but they do fantastic work.

How to use this script

See our the HowTo Use wiki page for main informations.

You may be interested by the HowTo Setup with BIND9 page too which show a step by step example to set up the script with a BIND9 DNS server.

Note that, this script can be run on any secure machine which have access to Internet and your public DNS server.


The biggest problem you'll likely come across while setting up and running this script is permissions.

You want to limit access for this script to:

  • Your account private key
  • Your Certificate Signing Request (CSR) file (without your domain key)
  • Your configuration file (which contain DNS update secret)

I'd recommend to create a user specifically to run this script and the above files. This user should NOT have access to your domain key!


  • Backup your account private key (e.g. account.key)
  • Don't allow this script to be able to read your domain private key!
  • Don't allow this script to be run as root!
  • Understand and configure correctly your cron job to do all your needs ! (write it with your preferred language to manage your server)


This project has a very, very limited scope and codebase. The project is happy to receive bug reports and pull requests, but please don't add any new features. This script must stay under ~250 lines of code to ensure it can be easily audited by anyone who wants to run it.

If you want to add features for your own setup to make things easier for you, please do! It's open source, so feel free to fork it and modify as necessary.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.