Authenticator plugin for certbot
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Authenticator plugin for certbot (

Perform a DNS-01 challenge using TXT record in a PowerDNS (

The advantages are:

  • No need to configure your web server to serve challenges
  • Web server not even needed
  • Can generate certificate for internal hosts that are not exposed to the Internet
  • A or CNAME record not even needed. Only the TXT record added by certbot-pdns matters.


Install or upgrade certbot:

pip2 install -U certbot

Install certbot-pdns:

#Install from pip
pip2 install certbot-pdns
#Install from sources
python2 install

Check that certbot-pdns:auth is listed when executing certbot --text plugins


An example file is provided in /usr/local/etc/letsencrypt/certbot-pdns.json:

  "api-key": "change_it",
  "base-url": "",
  "axfr-time": 5,
  "http-auth": ["user", "secret_pass"],
  "verify-cert": "False"

Configuration file must be placed in /etc/letsencrypt/certbot-pdns.json or be specified with argument certbot-pdns-config.

Configuration keys:

  • api-key: Your PowerDNS API Key as specified in property api-key in file /etc/powerdns/pdns.conf
  • base-url: The base URL for PowerDNS API. Require api=yes and api-readonly=no in file /etc/powerdns/pdns.conf
  • axfr-time: The time in seconds to wait for AXFR in slaves. Can be set to 0 if there is only one authoritative server for the zone.

The following two keys are optional and added in case a (nginx) reverse proxy is used to secure access to the api:

  • http-auth (optional): A list of two strings containing the Username and Password for a http-basic-authentication
  • verify-cert (optional): defines whether the SSL-certificate provided by the reverse proxy shall be verified. Possible options are True/False or a string containing the path to a local certificate which can be used to verify the one provided by the proxy.


Use certbot as usual but specify --authenticator certbot-pdns:auth:

certbot --agree-tos --text --renew-by-default --authenticator certbot-pdns:auth certonly -d -d