Options are limited when you want to generate a free Let’s Encrypt SSL certificate using WIN-ACME and you can not or do not want to publish verification files on the server – especially if you want the certificates to be auto-renewed. Also, I must mention that the SSL is for a wildcard domain.
I have domain records hosted on dns.he.net (Hurricane Electric) which is a free dynamic DNS provider and it has been very reliable for – I don’t even remember how many years. My aim is to generate a Let’s Encrypt SSL certificate and enable auto-renewal using DNS-01 verification from a script.
I should indicate that I am doing this on a Windows 2012 server machine not a linux machine.
First we will create a TXT record on HE portal, lower the time to live value and set the record type as dynamic.
Once that is done, we will click on the refresh icon to setup our secret key which is used to authenticate valid requests.
Now we will work on the server to create a very basic BAT script file.
@echo off
curl -4 "http://%1:Abcdef12345@dyn.dns.he.net/nic/update?hostname=%2&txt=%3"Also, we will download curl from https://curl.se/windows/ and extract the contents to the root of the folder where we will keep our script file. I will probably be okay with the hardcoded secret key in the script as I have only 2 domains and I will use same key on both. If you have multiple domains then you may have to improvise on this part. I will not bother as it is okay for my needs.
Now it’s time to run the wacs.exe application and when it will ask for the domain validation method, I will select option 8 (at the time of writing this) which is the verification using your own script. When it will ask for the arguments, use these in this order:
{RecordName} {Identifier} {Token}If you followed all the instructions as I stated, it will now succesfully validate and issue certificates. Its up to you how you want to install them as the wacs.exe script has good options for that too.