Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


With the removal of TLS-SNI validation, this plugin is obsolete. If you just need basic renewal hook support, you can use the built-in hook options present in recent versions of certbot. If you need more features, consider EnigmaBridge/certbot-external-auth in handler mode, which is inspired by this plug-in but also supports HTTP-01 and DNS-01 validation.

External shell script plugin for Let's Encrypt client

This plugin allows you to use a custom shell script to implement DVSNI validation for your domains. It should work with any conceivable server that supports TLS and SNI, and can also be used to perform DVSNI validation using a server (e.g. a web server) that is unrelated to the server that will be using the certificate (e.g. a mail server), as long as both share the same external IP address.

The example supports DVSNI validation using nginx, in a setup where /etc/nginx/sites.d contains configuration files for each site. No existing configuration files are edited; instead, a new site config for the DVSNI challenge is created and then removed.

To install, first install let's encrypt (either on the root or in a virtualenv), then:

# python install
# cp /etc/letsencrypt/

To use, try something like this:

# certbot --agree-tos --agree-dev-preview \
    -a certbot-external:external \
    -d certonly

This plugin only supports authentication, not installation, since it is assumed that the administrator will install the certificate manually. It can be used with the renewer too, but you'll have to wrap it with a script that checks whether any certificates were renewed and restarts the appropriate server(s) if needed.

Loosely based on the Let's Encrypt nginx plugin.


Certbot plugin that uses an external shell script for domain validation




No releases published


No packages published