Certbot / ACME DNS-01

Issue or renew TLS certificates, including wildcards, by automating the _acme-challenge TXT record that the ACME DNS-01 challenge requires. No open ports or HTTP access needed.

How it works

The DNS-01 flow touches the API three times:

1. 1

   Find the zone

   Look up which zone owns the name you are certifying.

   curl -H "Authorization: Bearer $API_KEY" \
     "https://api.yeil.app/v1/dns/zones?suffix_of=example.com"

2. 2

   Add the challenge record

   Create a TXT record with a short TTL so the CA picks it up quickly.

   curl -X POST \
     -H "Authorization: Bearer $API_KEY" \
     -H "Content-Type: application/json" \
     -d '{"name":"_acme-challenge","type":"TXT","content":"$VALIDATION_TOKEN","ttl":60}' \
     "https://api.yeil.app/v1/dns/zones/$ZONE_ID/records"

3. 3

   Clean up

   Once ACME validates, delete the record. Use the id from the POST response.

   curl -X DELETE \
     -H "Authorization: Bearer $API_KEY" \
     "https://api.yeil.app/v1/dns/zones/$ZONE_ID/records/$RECORD_ID"

Using the certbot plugin

The certbot-dns-yeil plugin runs these three steps automatically. Install it alongside certbot, then write a credentials file:

pip install certbot certbot-dns-yeil

Create a credentials file (mode 600):

# /etc/letsencrypt/dns-yeil.ini
dns_yeil_api_key = yk_...

Then run certbot with the dns-yeil authenticator:

certbot certonly \
  --authenticator dns-yeil \
  --dns-yeil-credentials /etc/letsencrypt/dns-yeil.ini \
  --dns-yeil-propagation-seconds 10 \
  -d example.com \
  -d "*.example.com"

The key needs record-level write on the zone (or a per-zone override). No zone-management permission is required.