[Spivak]

I mean it's a pain but why is this LE's problem? The company hosting your domain doesn't support programmatically updating records so the least-effort path ends up paying someone that does like the $0.20/month to host the records with an easier to use API.

Unless you're using a very obscure DNS hosting service you shouldn't need to write any code. There are already made plug-ins for just about everyone.

[Filligree]

Can you name such a "someone"? I've been searching, but the space seems very spammy.

[Spivak]

I'm gonna focus on certbot since it's the main player in this space but there are other ACME clients that might have better support for other providers.

* Route53. The plug-in is straightforward with the relevant IAM policy to allow a service account to change your records being already written for you. You end up just copying the tokens, and the arn of the zone into the config file and you're off.

* Google CloudDNS. Google's IAM system is a little more complicated if all you want is a DNS hosted zone but once you have a service account with the right permission and the JSON blob in place the plug-in is actually easier to use since it has the ability to programmatically find your zone based on the name instead of copying the arn.

* DNSimple and DigitalOcean. No IAM policy to fiddle with. Just grant an API token from your account, plug it into the config file, and you're done.

* RFC2136. Not super useful unless you're doing on-prem stuff but really nice if you are. The config format for this one is super finnicky and you'll be reading docs to generate the keys but once you have it it's pretty smooth.

[chc]

For another example, Terraform's acme_certificate resource lists 60 DNS services it works with for the DNS challenge.

[throw0101a]

> Can you name such a "someone"?

How about anyone on the list that's supported by the lexicon utility:

> Lexicon provides a way to manipulate DNS records on multiple DNS providers in a standardized way. Lexicon has a CLI but it can also be used as a python library.

* https://github.com/AnalogJ/lexicon

Doing a quick count, they support 60 APIs.

[cpach]

Amazon Route 53 is one example, there are probably other vendors.

[psidebot]

Azure DNS can be scripted from *nix using Azure CLI and from Windows using PowerShell. You can use the certbot verification hooks to run the requisite scripts.