Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Authenticator plugin for certbot (

Perform a DNS-01 challenge using TXT record in a PowerDNS (

The advantages are:

  • No need to configure your web server to serve challenges
  • Web server not even needed
  • Can generate certificate for internal hosts that are not exposed to the Internet
  • A or CNAME record not even needed. Only the TXT record added by certbot-pdns matters.


Install or upgrade certbot:

pip2 install -U certbot

Install certbot-pdns:

#Install from pip
pip2 install certbot-pdns
#Install from sources
python2 install

Check that certbot-pdns:auth is listed when executing certbot --text plugins


An example file is provided in /usr/local/etc/letsencrypt/certbot-pdns.json:

  "api-key": "change_it",
  "base-url": "",
  "axfr-time": 5,
  "http-auth": ["user", "secret_pass"],
  "verify-cert": "False"

Configuration file must be placed in /etc/letsencrypt/certbot-pdns.json or be specified with argument certbot-pdns-config.

Configuration keys:

  • api-key: Your PowerDNS API Key as specified in property api-key in file /etc/powerdns/pdns.conf
  • base-url: The base URL for PowerDNS API. Require api=yes and api-readonly=no in file /etc/powerdns/pdns.conf
  • axfr-time: The time in seconds to wait for AXFR in slaves. Can be set to 0 if there is only one authoritative server for the zone.

The following two keys are optional and added in case a (nginx) reverse proxy is used to secure access to the api:

  • http-auth (optional): A list of two strings containing the Username and Password for a http-basic-authentication
  • verify-cert (optional): defines whether the SSL-certificate provided by the reverse proxy shall be verified. Possible options are True/False or a string containing the path to a local certificate which can be used to verify the one provided by the proxy.


Use certbot as usual but specify --authenticator certbot-pdns:auth:

certbot --agree-tos --text --renew-by-default --authenticator certbot-pdns:auth certonly -d -d