TLS Certificate with Let’s Encrypt

certbot with deSEC hook

dynDNS by deSEC supports the DNS challenge protocol to make it easy for you to obtain certificates for your domain name easily from anywhere. All you need is certbot, your credentials and our certbot hook script. As always, we appreciate your feedback. Shoot us an email!

To obtain a Let’s Encrypt Certificate for your domain, follow these steps.

  1. Install Certbot. There are many ways to install certbot, depending on your distribution and preference. Please follow the official instructions at

  2. Install hook script. To authenticate your domain against Let’s Encrypt using the DNS challenge mechanism, you will need to update your domain according to instructions provided by Let’s Encrypt. Our hook script automates this process for you. To use it, download the following two files and place them into a directory of your choice. Make sure to change the owner/permissions of the file (chown/chmod), so that it is only readable by your certbot user (usually root).

  3. Get a token. You need to configure an API token so that certbot can use it to authenticate its requests towards the deSEC API. The easiest way to get such a token is to log into the web interface at, navigate to “Token Management”, and create a token there.

  4. Configuration. You need to provide your credentials to the hook script, so that it can write the Let’s Encrypt challenge to the DNS on your behalf. To do so, edit the .dedynauth file to look something like:

    DEDYN_TOKEN=[your token]  # remove brackets, token from above step
    DEDYN_NAME=[]  # remove brackets, add your domain to your account first
  5. Run certbot. To obtain your certificate, run certbot in manual mode as follows. (For a detailed explanation, please refer to the certbot manual.) Please notice that you need to insert your domain name one more time. (Also, for users not familiar with shell commands, please note that you need to remove the \ if you reformat the command to fit on one line.)

    certbot --manual --manual-auth-hook ./ --manual-cleanup-hook ./ \
        --preferred-challenges dns -d "" certonly

    Please note that the hook script may wait up to two minutes to ensure that the challenge was correctly published.

    To include subdomains in your certificate, you can specify the -d argument several times, e.g. -d "" -d "".

    Similarly, you can get wildcard certificates like so:

    certbot --manual --manual-auth-hook ./ --manual-cleanup-hook ./ \
        --preferred-challenges dns -d "" -d "*" certonly

    To make the process headless, add --agree-tos -n (this implies agreeing to their Terms of Service!). Let’s Encrypt asks for an email address to send expiration notices to, which you can provide with --email [your email]. To sign up without email, use --register-unsafely-without-email instead (discouraged).

    If you would like to help improve this hook script, please check out our open issues at We’d highly appreciate your help!

Other ACME clients

There are other ACME clients that support deSEC out of the box. We currently know of the following:

Our forum has a more updated list.