Skip to main content

DNS providers

Per-provider authentication and required permissions for the 14 DNS providers CertAutoPilot speaks for DNS-01 challenge automation.

Overview

For DNS-01, the worker creates a temporary TXT record at _acme-challenge.<name>, waits for the CA to validate it, then deletes the record. CertAutoPilot scopes the credential to the smallest permission that allows that — typically zone-level DNS edit, never account-wide write.

Cloudflare

Create an API Token with Zone → DNS → Edit scoped to the relevant zone. Paste the token. Account ID and zone ID are auto-discovered.

Permissions: Zone → DNS → Edit
Zone Resources: Include → Specific Zone → example.com

AWS Route 53

Two auth modes — IAM access keys or instance-profile (EC2/EKS). For keys, attach this minimum policy to the user:

{"Effect":"Allow",
"Action":["route53:ChangeResourceRecordSets","route53:GetChange","route53:ListResourceRecordSets"],
"Resource":["arn:aws:route53:::hostedzone/Z123ABC..."]}

Use instance-profile when the worker runs on EC2 or EKS — paste no keys; CertAutoPilot uses IMDSv2.

Google Cloud DNS

Create a service account with role DNS Administrator on the target zone. Download the JSON key and paste it into the credential. Workload Identity is supported on GKE.

Azure DNS

Service principal with role DNS Zone Contributor on the resource group. Required fields: tenant ID, subscription ID, client ID, client secret. Federated workload identity works on AKS.

DigitalOcean

Personal Access Token with read + write scope. There is no zone-level scoping; this is the only DO option.

GoDaddy

API key + secret pair. Production keys come from the Production tab; do not use the OTE/sandbox keys.

AWS Lightsail

IAM user with lightsail:*Domain*. Lightsail DNS is a different API from Route 53 even though they're both AWS.

UltraDNS

Username + password against the v3 REST API. Use a dedicated automation account with restricted IP allow-listing.

Akamai EdgeDNS

EdgeGrid credentials (host, client_token, client_secret, access_token). Generate from the Akamai Control Center → Identity & Access → API Clients. Required permission: DNS-Zone-Record-Management — READ-WRITE.

Hetzner

API token from the Hetzner DNS Console. There is one global scope; scope by zone via separate tokens if you need least-privilege.

OVH

Application key + application secret + consumer key. Generate via OVH's Create Token tool with paths GET/POST/DELETE /domain/zone/*.

Namecheap

Username + API key, plus the public IP of every worker (Namecheap requires IP allow-listing on the API). For Kubernetes, this means a static egress IP via a NAT gateway.

RFC 2136 (Dynamic DNS)

For a self-hosted authoritative server (BIND, PowerDNS, Knot, or a Windows DNS zone), CertAutoPilot writes the challenge with an RFC 2136 dynamic update instead of a cloud API. Enable dynamic updates on the zone and choose an auth mode: TSIG (shared key — BIND/PowerDNS/etc.), GSS-TSIG (Kerberos — Windows "secure dynamic update"), or Nonsecure (firewalled). Full walkthrough — including how to turn dynamic updates on and what TSIG is — in RFC 2136 (Dynamic DNS).

For a Windows AD-integrated "Secure only" zone where Kerberos setup on the CertAutoPilot host isn't desired, see Windows DNS (WinRM) — it writes the record over WinRM/PowerShell with no TSIG/Kerberos.

Testing the credential

Every credential form has a Test connectivity button — it lists zones and verifies write access by creating and deleting a TXT probe record. Always click it before saving.

See also