Using DNS Validation With AutoInstall SSL -

Before a certificate authority can issue an SSL certificate, it must verify that you control the domain name. This is commonly done by uploading a file, adding a DNS record, or clicking a link in an email. AutoInstall SSL uses the file validation method as default because it is the simplest way to complete validation and issue your SSL certificate.

In certain cases, you’ll need to use DNS validation instead (for example, if your domain has multiple servers behind a load balancer or if your server is not yet accessible to the internet). AutoInstall SSL integrates with several popular DNS providers to automate the DNS validation process.

Tip: If you’re not sure who your DNS provider is, you can find out by running a Nameserver lookup on your domain at https://dnschecker.org/ns-lookup.php

For step-by-step instructions on how to use DNS validation with AutoInstall SSL, please select your DNS provider:

DNS Installation Guides

Cloudflare
GoDaddy
DNS Made Easy
Microsoft Azure DNS
AWS Route 53
Digital Ocean
Google Cloud DNS
Names.com
Namecheap
OVH
RFC2136

Each DNS provider uses different types of credentials to connect to their API–we’ve provided the needed arguments and a sample command for each provider. You can copy the example command and just replace the placeholders in brackets [] with your values (remove the brackets).

Cloudflare

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using Cloudflare:

Argument	Value
–validationtype	dns
–validationprovider	cloudflare
–cloudflareapitoken	Your Cloudflare API token (see below)

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider cloudflare --cloudflareapitoken [APIToken]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider cloudflare --cloudflareapitoken [APIToken]

How to setup API credentials in your Cloudflare account:

Go to your account profile page (https://dash.cloudflare.com/profile)
Click on API Tokens
Click Create Token
Next to “Edit zone DNS” click Use template
Under Zone Resources, select “All zones”
Under Permissions, click Add more and select User + User Details + Read.
Click Continue to summary
Click Create Token
Copy the token

Note: the above permissions are required so that AutoInstall SSL can enumerate the zones in your account and choose the correct zone for a parent or sub-domain.

GoDaddy

Please note that GoDaddy only enables API access for accounts that meet certain minimums. Use these arguments with AutoInstall SSL to complete DNS validation using GoDaddy:

Argument	Value
–validationtype	dns
–validationprovider	godaddy
–apikey	Your GoDaddy API key (see below)
–apisecret	Your GoDaddy API secret (see below)

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider godaddy --apikey [APIKey] --apisecret [APISecret]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider godaddy --apikey [APIKey] --apisecret [APISecret]

How to setup API credentials in your GoDaddy account:

You can generate/manage your API keys at https://developer.godaddy.com/keys

DNS Made Easy

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using DNS Made Easy:

Argument	Value
–validationtype	dns
–validationprovider	dnsmadeeasy
–apikey	Your DNS Made Easy API key (see below)
–apisecret	Your DNS Made Easy API secret key (see below)

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider dnsmadeeasy --apikey [APIKey] --apisecret [APISecret]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider dnsmadeeasy --apikey [APIKey] --apisecret [APISecret]

How to setup API credentials in your DNS Made Easy account:

Log into https://cp.dnsmadeeasy.com and go to Config > Account Information.
You must be the primary user on the account to be able to see API keys.
If you’ve already generated API credentials, they’ll be displayed. If the credentials are not displayed, check the box to “Generate New API Credentials” and click Save.

Microsoft Azure DNS

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using Microsoft Azure DNS:

Argument	Value
–validationtype	dns
–validationprovider	azure
–azuretenantid	Your Tenant ID in Microsoft Entra ID
–azureclientid	The Application (client) ID for your AutoInstall SSL application in Microsoft Entra ID
–azuresecret	The Secret for your AutoInstall SSL application in Microsoft Entra ID
–azuresubscriptionid	The Azure Subscription ID associated with your domain’s DNS zone
–azureresourcegroupname	The Resource group name associated with your domain’s DNS zone
–azurehostedzone	Azurehostedzone Name

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider azure --azuretenantid [TenantId] --azureclientid [ClientID] --azuresecret [Secret] --azuresubscriptionid [SubscriptionID] --azureresourcegroupname [ResourceGroupName] --azurehostedzone [HostedZone]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider azure --azuretenantid [TenantId] --azureclientid [ClientID] --azuresecret [Secret] --azuresubscriptionid [SubscriptionID] --azureresourcegroupname [ResourceGroupName] --azurehostedzone [HostedZone]

How to setup API credentials in your Azure portal:

In Microsoft Entra ID, click on App Registration and create a new application named “AutoInstall SSL”. Redirect URI can be blank.
Give the new application DNS Zone Contributor level access to the subscription your domain’s DNS zone is in.

AWS Route 53

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using AWS Route 53:

Argument	Value
–validationtype	dns
–validationprovider	route53
–route53accesskeyid	Your AWS Access key (see below)
–route53secretaccesskey	Your AWS Secret access key (see below)

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider route53 --route53accesskeyid [AccessKeyID] --route53secretaccesskey [SecretAccessKey]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider route53 --route53accesskeyid [AccessKeyID] --route53secretaccesskey [SecretAccessKey]

How to setup API credentials in your AWS console:

Go to the AWS management console
Click on your profile name at the top right, then click on Security credentials
Under Access Keys, select Create New Access Key
Click Show Access Key and save/download your credentials

Updating DNS Credentials

If your DNS provider credentials change, you can update the credentials used by AutoInstall SSL:

Run the main AutoInstall SSL command:
- Linux: sudo runautoinstallssl.sh
- Windows: AutoInstallSSL.exe
Select menu option 4, Settings & Credentials
Select Manage DNS provider credentials

Digital Ocean

Use these arguments with AutoInstall SSL to complete DNS validation using Digital Ocean:

Argument	Value
–validationtype	dns
–validationprovider	digitalocean
–digitaloceantoken	Your DigitalOcean API token

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider digitalocean --digitaloceantoken [APIToken]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider digitalocean --digitaloceantoken [APIToken]

How to set up API credentials in DigitalOcean

Log in to your DigitalOcean account.
From the left-hand navigation, click API.
Under Personal Access Tokens, click Generate New Token.
Enter a name for the token (for example: AutoInstallSSL).
Select Custom Scopes
Select all the options from within the “Domain” resource type (create, read, update and delete).
Click Generate Token.
Copy the token and store it securely, you will not be able to view it again.

Google Cloud DNS

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using Google Cloud DNS:

Argument	Value
–validationtype	dns
–validationprovider	gcpdns
–serviceaccountkey	The local path of the JSON key on your server
–projectid	Google Cloud Project ID

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider gcpdns --serviceaccountkey [Path of SERVICEACCOUNTKEY in Double quote] --projectid [PROJECTID]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider gcpdns --serviceaccountkey [Path of SERVICEACCOUNTKEY in Double quote] --projectid [PROJECTID]

How to set up API credentials in Google Cloud DNS

Log in to Google Cloud Console.
Select the project that hosts your Cloud DNS zone.
Go to “IAM & Admin” → “Service Accounts”.
Click “Create service account”.
Enter a name for the service account and click “Create and continue”.
Under Permissions, assign the role “DNS Administrator”, then click “Continue” → “Done”.
Locate the newly created service account, click the three-dot menu, and select “Manage”.
Click “Add key” → “Create new key”, then choose “JSON” (A JSON file will be downloaded to your computer).
Upload the JSON file to your server and note its local file path, this path is used for the –serviceaccountkey.The Project ID is shown in the Google Cloud project selector.

Understanding Service Accounts:

https://docs.cloud.google.com/iam/docs/service-account-overview

Names.com

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using Name.com:

Argument	Value
–validationtype	dns
–validationprovider	namecom
–apikey	Your Name.com username
–apisecret	Your Name.com API token

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider namecom --username [USERNAME] --apitoken [APITOKEN]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider namecom --username [USERNAME] --apitoken [APITOKEN]

How to set up API credentials in Name.com

Copy the Username and Token into the command above
Log in to Name.com
Go to Account Settings
Open API Tokens
Create a Production API Token

Namecheap

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using Namecheap:

Argument	Value
–validationtype	dns
–validationprovider	namecheap
–apiuser	Your API Namecheap username
–username	Namecheap Username
–apikey	API Key
–clientip	Client IP

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider namecheap  --apiuser [APIUSER] --username [USERNAME] --apikey [APIKEY] --clientip [CLIENTIP]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider namecheap --apiuser [APIUSER] --username [USERNAME] --apikey [APIKEY] --clientip [CLIENTIP]

How to set up API credentials in Namecheap

Log in to Namecheap
Go to Profile → Tools
Open Namecheap API Access
Scroll down to Namecheap API and click on “Manage”
Enabling API access will allocate you an API Key.
Copy your API key
Whitelist your public IPv4 address that will be using the API Key within namecheap.com.
Your Namecheap account username will also act as the API username.

OVH

Use these arguments with the AutoInstall SSL installcertificate command to complete DNS validation using OVH:

Argument	Value
–validationtype	dns
–validationprovider	ovh
–applicationkey	OVH Application Key
–applicationsecret	OVH Application Secret
–consumerkey	OVH Consumer Key
–origin	Origin is the OVH API region your account belongs to. For example: ovh-eu

Example commands:

Windows:

AutoInstallSSL.exe installcertificate –token [AutoInstall SSL Token] --validationtype dns --validationprovider ovh  --applicationkey [APPLICATIONKEY] --applicationsecret [APPLICATIONSECRET] --consumerkey [CONSUMERKEY] --origin [ORIGIN]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider ovh  --applicationkey [APPLICATIONKEY] --applicationsecret [APPLICATIONSECRET] --consumerkey [CONSUMERKEY] --origin [ORIGIN]

How to set up API credentials in OVH

Log in to OVHcloud Manager.
Go to Identity, Security & Operations > API Keys.
Click on “Create an API Key”
Enter the name of the API Key
Set validity to “Unlimited”
Enter the following set of rights for that API key:
- GET = /domain/zone/*
- GET = /domain/zone/*/record
- POST = /domain/zone/*/record
- POST = /domain/zone/*/refresh
Create the API Key.
Copy and securely store all three values (They will not be shown again):
- Application Key
- Application Secret
- Consumer Key

RFC2136

Use these arguments within the AutoInstall SSL install certificate command to complete DNS validation using RFC2136 dynamic updates:

Argument	What it is	Where it comes from
–serverhost	Authoritative DNS server that accepts dynamic updates	DNS provider documentation, DNS administrator, or DNS server configuration
–serverport	Port the DNS server listens on for updates (usually 53)	DNS server configuration (optional if default)
–tsigkeyname	Name of the TSIG key used to authenticate updates	Provided when the TSIG key was created
–tsigkeysecret	Shared secret for the TSIG key	Provided when the TSIG key was created
–tsigkeyalgorithm	Algorithm used by the TSIG key (for example HMAC-SHA256)	DNS server configuration or key details

Example commands:

Windows:

AutoInstallSSL.exe installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider rfc2136  --serverhost [SERVERHOST] --serverport [SERVERPORT] --tsigkeyname [TSIGKEYNAME] --tsigkeysecret [TSIGKEYSECRET] --tsigkeyalgorithm [TSIGKEYALGORITHM]

Linux:

sudo runautoinstallssl.sh installcertificate --token [AutoInstall SSL Token] --validationtype dns --validationprovider rfc2136  --serverhost [SERVERHOST] --serverport [SERVERPORT] --tsigkeyname [TSIGKEYNAME] --tsigkeysecret [TSIGKEYSECRET] --tsigkeyalgorithm [TSIGKEYALGORITHM]

To use RFC2136 for DNS-based certificate validation, you must provide details for an existing DNS server that supports RFC2136 dynamic updates.

AutoInstallSSL uses this information to securely create and remove DNS TXT records during certificate validation and reissues.

What each value is used for

Server host / portIdentifies where AutoInstallSSL sends DNS update requests.
TSIG key name, secret, and algorithmAuthenticate the request so only authorized systems can modify DNS records.

Example values (for reference only)

Argument	Example
–serverhost	dns1.example.com
–serverport	53
–tsigkeyname	`rfc2136-key`
–tsigkeysecret	`AbCdEfGhIjKlMnOpQrStUvWxYz1234567890=`
–tsigkeyalgorithm	`hmac-sha256`

These examples are illustrative only. Your actual values will differ.

How to set up RFC2136 credentials (Example using BIND)

This guide is an example implementation using BIND on Linux.

1. Prerequisites

Authoritative DNS server (for example, BIND) configured for the domain
Existing DNS zone
DNS server reachable from the AutoInstallSSL host
TCP and UDP port 53 open between the AutoInstallSSL host and the DNS server(Port 53 is the default unless your DNS server is configured otherwise)

2. TSIG Key Generation

2.1 Command

tsig-keygen -a hmac-sha256 rfc2136-key > /etc/named/rfc2136-key.key

Explanation

hmac-sha256 → Recommended secure TSIG algorithm(Other algorithms such as hmac-sha512, hmac-sha1, or hmac-md5 may be supported by some systems, but hmac-sha256 is recommended.)
rfc2136-key → TSIG key name
/etc/named/rfc2136-key.key → Saves the key directly to a file

Where can the TSIG key be placed

Common & recommended locations

RHEL / CentOS / Rocky / Alma Linux

/etc/named/rfc2136-key.key
/etc/named/keys/rfc2136-key.key
/var/named/keys/rfc2136-key.key

Ubuntu / Debian

/etc/bind/rfc2136-key.key
/etc/bind/keys/rfc2136-key.key

2.2 Ensure file permissions

RHEL / CentOS / Rocky / Alma Linux

chown root:named /etc/named/rfc2136-key.key
chmod 640 /etc/named/rfc2136-key.key

Ubuntu / Debian

chown root:bind /etc/bind/rfc2136-key.key
chmod 640 /etc/bind/rfc2136-key.key

2.3 Sample TSIG Key

key "rfc2136-key" {
    algorithm hmac-sha256;
    secret "AbCdEfGhIjKlMnOpQrStUvWxYz1234567890=";
};

3. Configure BIND (named)

3.1 Include TSIG Key in BIND Configuration

The TSIG key file must be explicitly included in the BIND configuration so that RFC2136 updates can be authenticated.

RHEL / CentOS / Rocky / Alma Linux

Edit the main BIND configuration file:

vi /etc/named.conf

Add the following line near the top of the file (before zone definitions):

include "/etc/named/rfc2136-key.key";

Ubuntu / Debian

Edit the main BIND configuration file:

vi /etc/bind/named.conf

Add the following line before zone definitions:

include "/etc/bind/rfc2136-key.key";

3.2 Allow Dynamic Updates for the Zone

zone "example.com" IN {
    type master;
    file "example.com.zone";

    // Enable RFC2136 dynamic DNS updates
    // using the TSIG key generated earlier
    allow-update { key "rfc2136-key"; };
};

4. Restart DNS Service

Restarting the DNS service may briefly stop the server from answering domain name lookups.

RHEL / CentOS / Rocky / Alma Linux

systemctl restart named
systemctl status named

Ubuntu / Debian

systemctl restart bind9
systemctl status bind9

SHARE THIS

Using DNS Validation With AutoInstall SSL

DNS Made Easy

Microsoft Azure DNS

How to set up RFC2136 credentials (Example using BIND)

Related Posts

Exporting AutoInstall SSL Logs/Diagnostic Info

AutoInstall SSL Agent Commands

How to Reissue an SSL Certificate Using AutoInstall SSL