acme-dns-tiny is a python 3 script able to ask a Certificate Autority (CA)
to provide automatically a X.509 certificate.
To be able to automate the certificate creation, acme-dns-tiny uses
RFC 8555 standard. Indeed, to prove to the CA you
are the owner of the domains included in the certificate request,
acme-dns-tiny uses the DNS challenges defined by this
To resolve these challenges, acme-dns-tiny dynamically updates some
DNS resources on your DNS
That's why, to be able to use acme-dns-tiny, you'll have to choose a CA
which provides a service following the
ACME RFC 8555,
like the Let's Encrypt non-profit
The main goal of acme-dns-tiny is not to rewrite the official
certbot ACME client but
to give administrators a simple script easy to integrate in their
environment without requiring root privileges and without access to the
domain private key.
To run acme-dns-tiny, you'll need a computer with Python 3, the
the requests module
and the OpenSSL command line available.
Then you have to give access to the non-root user running the script to:
- the ACME account private key used to authenticate with the CA
the Certificate Signing Request (CSR) which will be
used to create the certificate.
Note: the CSR is enough, the user does not
need any access to the linked private domain key.
- a config file containing path of these files and the DNS
secret to manage DNS resources
Finally, that computer must be able to access a DNS server
allowing dynamic resource updates through TSIG key authentication.
2022-08-15: v3.0 has been
- Breaking and behavior changes
- Automatically resolve zone name and authoritative name servers
- A new configuration file is required due to this new functionality:
- DNS section is fully optional
- DNS section only contains `Timeout` and `NameServer` options
- Now acme-dns-tiny uses by default the system name server to query DNS resources
(you can specify other with the new `NameServer` option).
With the help of SOA and NS DNS resource records, acme-dns-tiny
is able to
automatically find the DNS authoritative server where to install ACME
message for more details.
Requests sent to ACME server and DNS server have a default timeout to 10 seconds
- Before, acme-dns-tiny could hand forever waiting for a HTTP or DNS response
- dnspython >= 1.16 is required due to this new functionality
use Python context manager to run `openssl` commands
add tests to keep coherent code style (linters for YAML and python files)
run `check` stage with Debian Bullseye
git default branch is now `main` instead of `master`
2021-10-01: v2.4 has been
fix to retrieve correctly ACME account information
fix usage of DNS Host configuration when it is defined with an IP address
improvement of code stability by following hints given by pyright
Gitlab CI is using ACME server pebble
instead of Let's Encrypt staging environment.
Gitlab CI validates Debian Bullseye and not any more Debian Jessie
Documentation has been moved from the wiki to the git repository
Please see our Gitlab page to find the latest
acme-dns-tiny is a fork of the acme-tiny
project, but it has slightly diverged to:
- remove http-01 challenge support
- add dns-01 challenge support by automating the DNS resources update
- support only on python 3
- use a configuration INI file instead of arguments
- use the requests module to send HTTP requests to the ACME server
Code and documentation
Code and documentation are available on
This project is under the MIT license as the original acme-tiny.
A mirror of the code is also available on Github.
You'll find the acme-dns-tiny news on the
To read news from this pubsub link, you can use one instance of the Movim
services as the
adorsaz.ch Movim pod.
If you want to follow RSS/Atom feed, you can use Movim page too.