ACME DNS-01 basic Autorenewing Script for txt records on dns.he.net

Options are limited when you want to generate a free Let’s Encrypt SSL certificate using WIN-ACME and you can not or do not want to publish verification files on the server – especially if you want the certificates to be auto-renewed. Also, I must mention that the SSL is for a wildcard domain.

I have domain records hosted on dns.he.net (Hurricane Electric) which is a free dynamic DNS provider and it has been very reliable for – I don’t even remember how many years. My aim is to generate a Let’s Encrypt SSL certificate and enable auto-renewal using DNS-01 verification from a script.

I should indicate that I am doing this on a Windows 2012 server machine not a linux machine.

First we will create a TXT record on HE portal, lower the time to live value and set the record type as dynamic.

Adding TXT Record on HE.NET for acme-challenge.

Once that is done, we will click on the refresh icon to setup our secret key which is used to authenticate valid requests.

Press the refresh/renew icon.
Type your desired key and click on Submit.

Now we will work on the server to create a very basic BAT script file.

@echo off
curl -4 "http://%1:Abcdef12345@dyn.dns.he.net/nic/update?hostname=%2&txt=%3"

Also, we will download curl from https://curl.se/windows/ and extract the contents to the root of the folder where we will keep our script file. I will probably be okay with the hardcoded secret key in the script as I have only 2 domains and I will use same key on both. If you have multiple domains then you may have to improvise on this part. I will not bother as it is okay for my needs.

Now it’s time to run the wacs.exe application and when it will ask for the domain validation method, I will select option 8 (at the time of writing this) which is the verification using your own script. When it will ask for the arguments, use these in this order:

{RecordName} {Identifier} {Token}

If you followed all the instructions as I stated, it will now succesfully validate and issue certificates. Its up to you how you want to install them as the wacs.exe script has good options for that too.