DNS Providers

Important

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Configuration and Credentials

Credentials and DNS configuration for DNS providers must be passed through environment variables.

Environment Variables

The environment variables can reference a value.

CLOUDFLARE_EMAIL='you@example.com' \
CLOUDFLARE_API_KEY='yourprivatecloudflareapikey' \
...

_FILE suffix

The environment variables can reference a path to a file.

In this case the name of environment variable must be suffixed by _FILE.

CLOUDFLARE_EMAIL_FILE=/the/path/to/my/email \
CLOUDFLARE_API_KEY_FILE=/the/path/to/my/key \
lego run --dns cloudflare --domains www.example.com
yourprivatecloudflareapikey
you@example.com
Note

The file must contain only the value.

Dotenv File

You can also use a dotenv file.

When using lego run, you can pass the path to the dotenv file with the --env-file flag.

lego run --dns cloudflare --domains 'example.org' --domains '*.example.org' --env-file .env.cf
CLOUDFLARE_EMAIL=you@example.com
CLOUDFLARE_API_KEY=yourprivatecloudflareapikey

When using lego, the environment variables are loaded from the file defined by envFile in the configuration file for the DNS provider.

challenges:
  cf:
    dns:
      provider: cloudflare
      envFile: .env.cf

certificates:
  foo:
    domains:
      - example.com
      - '*.example.com'
CLOUDFLARE_EMAIL=you@example.com
CLOUDFLARE_API_KEY=yourprivatecloudflareapikey

DNS Providers

Provider name CLI flag name Required lego version
1cloud.ru Website onecloudru v4.34.0
35.com/三五互联 Website com35 v4.31.0
51DNS Website dns51 v5.0.0
Abion Website abion v5.0.0
Active24 Website active24 v4.23.0
Akamai EdgeDNS Website edgedns v3.9.0
Alibaba Cloud DNS Website alidns v1.1.0
AlibabaCloud ESA Website aliesa v4.29.0
all-inkl Website allinkl v4.5.0
Alwaysdata Website alwaysdata v4.31.0
Amazon Lightsail Website lightsail v0.5.0
Amazon Route 53 Website route53 v0.3.0
Anexia CloudDNS Website anexia v4.28.0
ANS SafeDNS Website safedns v4.6.0
ArtFiles Website artfiles v4.32.0
ArvanCloud Website arvancloud v3.8.0
Aurora DNS Website auroradns v0.4.0
Autodns Website autodns v3.2.0
Axelname Website axelname v4.23.0
Azion Website azion v4.24.0
Azure DNS Website azuredns v4.13.0
Baidu Cloud Website baiducloud v4.23.0
Beget.com Website beget v4.27.0
Binary Lane Website binarylane v4.26.0
Bindman Website bindman v2.6.0
Bluecat Website bluecat v0.5.0
Bluecat v2 Website bluecatv2 v4.32.0
BookMyName Website bookmyname v4.23.0
Bunny Website bunny v4.11.0
Checkdomain Website checkdomain v3.3.0
Civo Website civo v4.9.0
Cloud.ru Website cloudru v4.14.0
CloudDNS Website clouddns v3.6.0
Cloudflare Website cloudflare v0.3.0
ClouDNS Website cloudns v2.3.0
ConoHa v2 Website conoha v1.2.0
ConoHa v3 Website conohav3 v4.24.0
Constellix Website constellix v3.4.0
Core-Networks Website corenetworks v4.20.0
CPanel/WHM Website cpanel v4.16.0
Curanet Website curanet v5.0.0
Czechia Website czechia v4.33.0
DanDomain Website dandomain v5.0.0
DDnss (DynDNS Service) Website ddnss v4.32.0
Derak Cloud Website derak v4.12.0
deSEC.io Website desec v3.7.0
Designate DNSaaS for Openstack Website designate v2.2.0
Digital Ocean Website digitalocean v0.3.0
Dinahosting Website dinahosting v5.0.0
DirectAdmin Website directadmin v4.18.0
DNS Made Easy Website dnsmadeeasy v0.4.0
DNS Update (RFC2136) Website dnsupdate v0.3.0
dns.la Website dnsla v5.0.0
DNS.services Website dnsservices v5.0.0
DNScale Website dnscale v5.0.0
DNSExit Website dnsexit v4.32.0
dnsHome.de Website dnshomede v4.10.0
DNSimple Website dnsimple v0.3.0
Domain Offensive (do.de) Website dode v2.4.0
Domeneshop Website domeneshop v4.3.0
DreamHost Website dreamhost v1.1.0
Duck DNS Website duckdns v0.5.0
Dyn Website dyn v0.3.0
DynDnsFree.de Website dyndnsfree v4.23.0
Dynu Website dynu v3.5.0
EasyDNS Website easydns v2.6.0
EdgeCenter Website edgecenter v4.29.0
Efficient IP Website efficientip v4.13.0
Epik Website epik v4.5.0
EuroDNS Website eurodns v4.33.0
EUserv Website euserv v5.0.0
Excedo Website excedo v4.33.0
Exoscale Website exoscale v0.4.0
External program Website exec v0.5.0
F5 XC Website f5xc v4.23.0
Fornex Website fornex v5.0.0
freemyip.com Website freemyip v4.5.0
FusionLayer NameSurfer Website namesurfer v4.32.0
G-Core Website gcore v4.5.0
Gandi Website gandi v0.3.0
Gandi Live DNS (v5) Website gandiv5 v0.5.0
Gehirn Website gehirn v5.0.0
Gigahost.no Website gigahostno v4.29.0
Glesys Website glesys v0.5.0
Gname Website gname v5.0.0
Go Daddy Website godaddy v0.5.0
Google Cloud Website gcloud v0.3.0
Gravity Website gravity v4.30.0
Hetzner Website hetzner v3.7.0
Hosting.de Website hostingde v1.1.0
Hosting.nl Website hostingnl v4.30.0
Hostinger Website hostinger v4.27.0
Hosttech Website hosttech v4.5.0
HostUp Website hostup v5.0.0
HTTP request Website httpreq v2.0.0
http.net Website httpnet v4.15.0
Huawei Cloud Website huaweicloud v4.19
Hurricane Electric DNS Website hurricane v4.3.0
HyperOne Website hyperone v3.9.0
IBM Cloud (SoftLayer) Website ibmcloud v4.5.0
IIJ DNS Platform Service Website iijdpf v4.7.0
Infoblox Website infoblox v4.4.0
Infomaniak Website infomaniak v4.1.0
Internet.bs Website internetbs v4.5.0
INWX Website inwx v2.0.0
Ionos Website ionos v4.2.0
Ionos Cloud Website ionoscloud v4.30.0
IPv64 Website ipv64 v4.13.0
ISPConfig 3 Website ispconfig v4.31.0
ISPConfig 3 - Dynamic DNS (DDNS) Module Website ispconfigddns v4.31.0
JD Cloud Website jdcloud v4.31.0
Joker Website joker v2.6.0
Joohoi's ACME-DNS Website acmedns v1.1.0
Katapult Website katapult v5.0.0
KeyHelp Website keyhelp v4.26.0
Leaseweb Website leaseweb v4.32.0
Liara Website liara v4.10.0
Lima-City Website limacity v4.18.0
Linode (v4) Website linode v1.1.0
Liquid Web Website liquidweb v3.1.0
Loopia Website loopia v4.2.0
LuaDNS Website luadns v3.7.0
Mail-in-a-Box Website mailinabox v4.16.0
ManageEngine CloudDNS Website manageengine v4.21.0
Manual manual v0.3.0
Metaname Website metaname v4.13.0
Metaregistrar Website metaregistrar v4.23.0
mijn.host Website mijnhost v4.18.0
Mittwald Website mittwald v1.48.0
myaddr.{tools,dev,io} Website myaddr v4.22.0
MyDNS.jp Website mydnsjp v1.2.0
MythicBeasts Website mythicbeasts v0.3.7
Name.com Website namedotcom v0.5.0
Namecheap Website namecheap v0.3.0
Namesilo Website namesilo v2.7.0
NearlyFreeSpeech.NET Website nearlyfreespeech v4.8.0
NederHost Website nederhost v5.0.0
Neodigit Website neodigit v4.30.0
Netcup Website netcup v1.1.0
Netlify Website netlify v3.7.0
Netnod Website netnod v4.34.0
Ngenix Website ngenix v5.0.0
Nicmanager Website nicmanager v4.5.0
NIFCloud Website nifcloud v1.1.0
Njalla Website njalla v4.3.0
Nodion Website nodion v4.11.0
NS1 Website ns1 v0.4.0
Octenium Website octenium v4.27.0
omg.lol Website omglol v5.0.0
Online.net Website onlinenet v4.34.0
Open Telekom Cloud Website otc v0.4.1
Oracle Cloud Website oraclecloud v2.3.0
OVH Website ovh v0.4.0
plesk.com Website plesk v4.11.0
PointDNS/PointHQ Website pointdns v5.0.0
Porkbun Website porkbun v4.4.0
PowerDNS Website pdns v0.4.0
Rackspace Website rackspace v0.4.0
Rage4 Website rage4 v5.0.0
Rain Yun/雨云 Website rainyun v4.21.0
RcodeZero Website rcodezero v4.13
reg.ru Website regru v3.5.0
Regfish Website regfish v4.20.0
RimuHosting Website rimuhosting v0.3.5
RU CENTER Website nicru v4.24.0
Sakura Cloud Website sakuracloud v1.1.0
Scaleway Website scaleway v3.4.0
ScanNet Website scannet v5.0.0
Selectel Website selectel v1.2.0
Selectel v2 Website selectelv2 v4.17.0
SelfHost.(de|eu) Website selfhostde v4.19.0
Servercow Website servercow v3.4.0
Shellrent Website shellrent v4.16.0
Simply.com Website simply v4.4.0
Sonic Website sonic v4.4.0
Spaceship Website spaceship v4.22.0
Stackpath Website stackpath v1.1.0
Syse Website syse v4.30.0
Technitium Website technitium v4.20.0
Tele3 Website tele3 v5.0.0
Tencent Cloud DNS Website tencentcloud v4.6.0
Tencent EdgeOne Website edgeone v4.26.0
Timeweb Cloud Website timewebcloud v4.20.0
TodayNIC/时代互联 Website todaynic v4.32.0
TransIP Website transip v2.0.0
UCloud Website ucloud v4.34.0
Ultradns Website ultradns v4.10.0
United-Domains Website uniteddomains v4.29.0
Variomedia Website variomedia v4.8.0
Veesp Website veesp v5.0.0
VegaDNS Website vegadns v1.1.0
Vercel Website vercel v4.7.0
Versio.[nl|eu|uk] Website versio v2.7.0
VinylDNS Website vinyldns v4.4.0
Virtualname Website virtualname v4.30.0
VK Cloud Website vkcloud v4.9.0
Volcano Engine/火山引擎 Website volcengine v4.19.0
Vscale Website vscale v2.0.0
Vultr Website vultr v0.3.1
Wannafind Website wannafind v5.0.0
webnames.ca Website webnamesca v4.28.0
webnames.ru Website webnamesru v4.15.0
Websupport Website websupport v4.10.0
WEDOS Website wedos v4.4.0
West.cn/西部数码 Website westcn v4.21.0
Xinnet Website xinnet v5.0.0
Yandex 360 Website yandex360 v4.14.0
Yandex Cloud Website yandexcloud v4.9.0
Yandex PDD Website yandex v3.7.0
Zilore Website zilore v5.0.0
Zone.ee Website zoneee v2.1.0
ZoneEdit Website zoneedit v4.25.0
Zonomi Website zonomi v3.5.0
May 13, 2026

Subsections of DNS Providers

1cloud.ru

Configuration for 1cloud.ru.

  • Code: onecloudru
  • Since: v4.34.0

Here is an example bash command using the 1cloud.ru provider:

ONECLOUDRU_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns onecloudru -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ONECLOUDRU_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ONECLOUDRU_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ONECLOUDRU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ONECLOUDRU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ONECLOUDRU_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

35.com/三五互联

Configuration for 35.com/三五互联.

  • Code: com35
  • Since: v4.31.0

Here is an example bash command using the 35.com/三五互联 provider:

COM35_USERNAME="xxx" \
COM35_PASSWORD="yyy" \
lego run --dns com35 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
COM35_PASSWORD API password
COM35_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
COM35_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
COM35_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
COM35_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
COM35_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

51DNS

Configuration for 51DNS.

  • Code: dns51
  • Since: v5.0.0

Here is an example bash command using the 51DNS provider:

DNS51_API_KEY="xxx" \
DNS51_API_SECRET="yyy" \
lego run --dns dns51 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNS51_API_KEY API key
DNS51_API_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNS51_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNS51_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNS51_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNS51_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Abion

Configuration for Abion.

  • Code: abion
  • Since: v5.0.0

Here is an example bash command using the Abion provider:

ABION_API_KEY="xxxxxxxxxxxx" \
lego run --dns abion -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ABION_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ABION_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
ABION_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ABION_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ABION_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Active24

Configuration for Active24.

  • Code: active24
  • Since: v4.23.0

Here is an example bash command using the Active24 provider:

ACTIVE24_API_KEY="xxx" \
ACTIVE24_SECRET="yyy" \
lego run --dns active24 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ACTIVE24_API_KEY API key
ACTIVE24_SECRET Secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ACTIVE24_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ACTIVE24_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ACTIVE24_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ACTIVE24_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Akamai EdgeDNS

Akamai edgedns supersedes FastDNS; implementing a DNS provider for solving the DNS-01 challenge using Akamai EdgeDNS

  • Code: edgedns
  • Since: v3.9.0

Here is an example bash command using the Akamai EdgeDNS provider:

AKAMAI_CLIENT_SECRET=abcdefghijklmnopqrstuvwxyz1234567890ABCDEFG= \
AKAMAI_CLIENT_TOKEN=akab-mnbvcxzlkjhgfdsapoiuytrewq1234567 \
AKAMAI_HOST=akab-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.luna.akamaiapis.net \
AKAMAI_ACCESS_TOKEN=akab-1234567890qwerty-asdfghjklzxcvtnu \
lego run --dns edgedns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AKAMAI_ACCESS_TOKEN Access token, managed by the Akamai EdgeGrid client
AKAMAI_CLIENT_SECRET Client secret, managed by the Akamai EdgeGrid client
AKAMAI_CLIENT_TOKEN Client token, managed by the Akamai EdgeGrid client
AKAMAI_EDGERC Path to the .edgerc file, managed by the Akamai EdgeGrid client
AKAMAI_EDGERC_SECTION Configuration section, managed by the Akamai EdgeGrid client
AKAMAI_HOST API host, managed by the Akamai EdgeGrid client

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AKAMAI_ACCOUNT_SWITCH_KEY Target account ID when the DNS zone and credentials belong to different accounts
AKAMAI_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 15)
AKAMAI_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 180)
AKAMAI_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Akamai’s credentials are automatically detected in the following locations and prioritized in the following order:

  1. Section-specific environment variables (where {SECTION} is specified using AKAMAI_EDGERC_SECTION):
  • AKAMAI_{SECTION}_HOST
  • AKAMAI_{SECTION}_ACCESS_TOKEN
  • AKAMAI_{SECTION}_CLIENT_TOKEN
  • AKAMAI_{SECTION}_CLIENT_SECRET
  1. If AKAMAI_EDGERC_SECTION is not defined or is set to default, environment variables:
  • AKAMAI_HOST
  • AKAMAI_ACCESS_TOKEN
  • AKAMAI_CLIENT_TOKEN
  • AKAMAI_CLIENT_SECRET
  1. .edgerc file located at AKAMAI_EDGERC
  • defaults to ~/.edgerc, sections can be specified using AKAMAI_EDGERC_SECTION
  1. Default environment variables:
  • AKAMAI_HOST
  • AKAMAI_ACCESS_TOKEN
  • AKAMAI_CLIENT_TOKEN
  • AKAMAI_CLIENT_SECRET

See also:

More information

May 5, 2026

Alibaba Cloud DNS

Configuration for Alibaba Cloud DNS.

  • Code: alidns
  • Since: v1.1.0

Here is an example bash command using the Alibaba Cloud DNS provider:

# Setup using instance RAM role
ALICLOUD_RAM_ROLE=lego \
lego run --dns alidns -d '*.example.com' -d example.com

# Or, using credentials
ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALICLOUD_SECRET_KEY=your-secret-key \
ALICLOUD_SECURITY_TOKEN=your-sts-token \
lego run --dns alidns - -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ALICLOUD_ACCESS_KEY Access key ID
ALICLOUD_RAM_ROLE Your instance RAM role (https://www.alibabacloud.com/help/en/ecs/user-guide/attach-an-instance-ram-role-to-an-ecs-instance)
ALICLOUD_SECRET_KEY Access Key secret
ALICLOUD_SECURITY_TOKEN STS Security Token (optional)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ALICLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
ALICLOUD_LINE Line (Default: default)
ALICLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ALICLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ALICLOUD_REGION_ID Region ID (Default: cn-hangzhou)
ALICLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

AlibabaCloud ESA

Configuration for AlibabaCloud ESA.

  • Code: aliesa
  • Since: v4.29.0

Here is an example bash command using the AlibabaCloud ESA provider:

# Setup using instance RAM role
ALIESA_RAM_ROLE=lego \
lego run --dns aliesa -d '*.example.com' -d example.com

# Or, using credentials
ALIESA_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALIESA_SECRET_KEY=your-secret-key \
ALIESA_SECURITY_TOKEN=your-sts-token \
lego run --dns aliesa - -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ALIESA_ACCESS_KEY Access key ID
ALIESA_RAM_ROLE Your instance RAM role (https://www.alibabacloud.com/help/en/ecs/user-guide/attach-an-instance-ram-role-to-an-ecs-instance)
ALIESA_SECRET_KEY Access Key secret
ALIESA_SECURITY_TOKEN STS Security Token (optional)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ALIESA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ALIESA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ALIESA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ALIESA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

all-inkl

Configuration for all-inkl.

  • Code: allinkl
  • Since: v4.5.0

Here is an example bash command using the all-inkl provider:

ALL_INKL_LOGIN=xxxxxxxxxxxxxxxxxxxxxxxxxx \
ALL_INKL_PASSWORD=yyyyyyyyyyyyyyyyyyyyyyyyyy \
lego run --dns allinkl -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ALL_INKL_LOGIN KAS login
ALL_INKL_PASSWORD KAS password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ALL_INKL_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ALL_INKL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ALL_INKL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Alwaysdata

Configuration for Alwaysdata.

  • Code: alwaysdata
  • Since: v4.31.0

Here is an example bash command using the Alwaysdata provider:

ALWAYSDATA_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns alwaysdata -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ALWAYSDATA_API_KEY API Key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ALWAYSDATA_ACCOUNT Account name
ALWAYSDATA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ALWAYSDATA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ALWAYSDATA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ALWAYSDATA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Amazon Lightsail

Configuration for Amazon Lightsail.

  • Code: lightsail
  • Since: v0.5.0
Note

Please contribute by adding a CLI example.

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Managed by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_SECRET_ACCESS_KEY Managed by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
DNS_ZONE Domain name of the DNS zone

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AWS_SHARED_CREDENTIALS_FILE Managed by the AWS client. Shared credentials file.
LIGHTSAIL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LIGHTSAIL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

AWS region is not required to set as the Lightsail DNS zone is in global (us-east-1) region.

Policy

The following AWS IAM policy document describes the minimum permissions required for lego to complete the DNS challenge.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lightsail:DeleteDomainEntry",
        "lightsail:CreateDomainEntry"
      ],
      "Resource": "<Lightsail DNS zone ARN>"
    }
  ]
}

Replace the Resource value with your Lightsail DNS zone ARN. You can retrieve the ARN using aws cli by running aws lightsail get-domains --region us-east-1 (Lightsail web console does not show the ARN, unfortunately). It should be in the format of arn:aws:lightsail:global:<ACCOUNT ID>:Domain/<DOMAIN ID>. You also need to replace the region in the ARN to us-east-1 (instead of global).

Alternatively, you can also set the Resource to * (wildcard), which allow to access all domain, but this is not recommended.

More information

Jan 11, 2025

Amazon Route 53

Configuration for Amazon Route 53.

  • Code: route53
  • Since: v0.3.0

Here is an example bash command using the Amazon Route 53 provider:

AWS_ACCESS_KEY_ID=your_key_id \
AWS_SECRET_ACCESS_KEY=your_secret_access_key \
AWS_REGION=aws-region \
AWS_HOSTED_ZONE_ID=your_hosted_zone_id \
lego run --dns route53 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AWS_ACCESS_KEY_ID Managed by the AWS client. Access key ID (AWS_ACCESS_KEY_ID_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_ASSUME_ROLE_ARN Managed by the AWS Role ARN (AWS_ASSUME_ROLE_ARN_FILE is not supported)
AWS_EXTERNAL_ID Managed by STS AssumeRole API operation (AWS_EXTERNAL_ID_FILE is not supported)
AWS_HOSTED_ZONE_ID Override the hosted zone ID.
AWS_PROFILE Managed by the AWS client (AWS_PROFILE_FILE is not supported)
AWS_REGION Managed by the AWS client (AWS_REGION_FILE is not supported)
AWS_SDK_LOAD_CONFIG Managed by the AWS client. Retrieve the region from the CLI config file (AWS_SDK_LOAD_CONFIG_FILE is not supported)
AWS_SECRET_ACCESS_KEY Managed by the AWS client. Secret access key (AWS_SECRET_ACCESS_KEY_FILE is not supported, use AWS_SHARED_CREDENTIALS_FILE instead)
AWS_WAIT_FOR_RECORD_SETS_CHANGED Wait for changes to be INSYNC (it can be unstable)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AWS_MAX_RETRIES The number of maximum returns the service will use to make an individual API request
AWS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 4)
AWS_PRIVATE_ZONE Set to true to use private zones only (default: use public zones only)
AWS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
AWS_SHARED_CREDENTIALS_FILE Managed by the AWS client. Shared credentials file.
AWS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

AWS Credentials are automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, [AWS_SESSION_TOKEN]
  2. Shared credentials file (defaults to ~/.aws/credentials, profiles can be specified using AWS_PROFILE)
  3. Amazon EC2 IAM role

The AWS Region is automatically detected in the following locations and prioritized in the following order:

  1. Environment variables: AWS_REGION
  2. Shared configuration file if AWS_SDK_LOAD_CONFIG is set (defaults to ~/.aws/config, profiles can be specified using AWS_PROFILE)

If AWS_HOSTED_ZONE_ID is not set, Lego tries to determine the correct public hosted zone via the FQDN.

See also:

IAM Policy Examples

Broad privileges for testing purposes

The following IAM policy document grants access to the required APIs needed by lego to complete the DNS challenge. A word of caution: These permissions grant write access to any DNS record in any hosted zone, so it is recommended to narrow them down as much as possible if you are using this policy in production.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:GetChange",
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/*",
        "arn:aws:route53:::change/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    }
  ]
}

Least privilege policy for production purposes

The following AWS IAM policy document describes the least privilege permissions required for lego to complete the DNS challenge. Write access is limited to a specified hosted zone’s DNS TXT records with a key of _acme-challenge.example.com. Replace Z11111112222222333333 with your hosted zone ID and example.com with your domain name to use this policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "route53:GetChange",
      "Resource": "arn:aws:route53:::change/*"
    },
    {
      "Effect": "Allow",
      "Action": "route53:ListHostedZonesByName",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/Z11111112222222333333"
      ],
      "Condition": {
        "ForAllValues:StringEquals": {
          "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
            "_acme-challenge.example.com"
          ],
          "route53:ChangeResourceRecordSetsRecordTypes": [
            "TXT"
          ]
        }
      }
    }
  ]
}

More information

May 5, 2026

Anexia CloudDNS

Configuration for Anexia CloudDNS.

  • Code: anexia
  • Since: v4.28.0

Here is an example bash command using the Anexia CloudDNS provider:

ANEXIA_TOKEN=xxx \
lego run --dns anexia -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ANEXIA_TOKEN API token for Anexia Engine

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ANEXIA_API_URL API endpoint URL (default: https://engine.anexia-it.com)
ANEXIA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ANEXIA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ANEXIA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
ANEXIA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

You need to create an API token in the Anexia Engine.

The token must have permissions to manage DNS zones and records.

More information

May 5, 2026

ANS SafeDNS

Configuration for ANS SafeDNS.

  • Code: safedns
  • Since: v4.6.0

Here is an example bash command using the ANS SafeDNS provider:

SAFEDNS_AUTH_TOKEN=xxxxxx \
lego run --dns safedns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SAFEDNS_AUTH_TOKEN Authentication token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SAFEDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SAFEDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SAFEDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SAFEDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ArtFiles

Configuration for ArtFiles.

  • Code: artfiles
  • Since: v4.32.0

Here is an example bash command using the ArtFiles provider:

ARTFILES_USERNAME="xxx" \
ARTFILES_PASSWORD="yyy" \
lego run --dns artfiles -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ARTFILES_PASSWORD API password
ARTFILES_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ARTFILES_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ARTFILES_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ARTFILES_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 360)
ARTFILES_SERVER_NAME Your server name (Default: dcp)
ARTFILES_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 8, 2026

ArvanCloud

Configuration for ArvanCloud.

  • Code: arvancloud
  • Since: v3.8.0

Here is an example bash command using the ArvanCloud provider:

ARVANCLOUD_API_KEY="Apikey xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
lego run --dns arvancloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ARVANCLOUD_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ARVANCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ARVANCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ARVANCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
ARVANCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Aurora DNS

Configuration for Aurora DNS.

  • Code: auroradns
  • Since: v0.4.0

Here is an example bash command using the Aurora DNS provider:

AURORA_API_KEY=xxxxx \
AURORA_SECRET=yyyyyy \
lego run --dns auroradns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AURORA_API_KEY API key or username to used
AURORA_SECRET Secret password to be used

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AURORA_ENDPOINT API endpoint URL
AURORA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
AURORA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
AURORA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Autodns

Configuration for Autodns.

  • Code: autodns
  • Since: v3.2.0

Here is an example bash command using the Autodns provider:

AUTODNS_API_USER=username \
AUTODNS_API_PASSWORD=supersecretpassword \
lego run --dns autodns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AUTODNS_API_PASSWORD User Password
AUTODNS_API_USER Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AUTODNS_CONTEXT API context (4 for production, 1 for testing. Defaults to 4)
AUTODNS_ENDPOINT API endpoint URL, defaults to https://api.autodns.com/v1/
AUTODNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
AUTODNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
AUTODNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
AUTODNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Axelname

Configuration for Axelname.

  • Code: axelname
  • Since: v4.23.0

Here is an example bash command using the Axelname provider:

AXELNAME_NICKNAME="yyy" \
AXELNAME_TOKEN="xxx" \
lego run --dns axelname -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AXELNAME_NICKNAME Account nickname
AXELNAME_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AXELNAME_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
AXELNAME_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
AXELNAME_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
AXELNAME_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Azion

Configuration for Azion.

  • Code: azion
  • Since: v4.24.0

Here is an example bash command using the Azion provider:

AZION_PERSONAL_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns azion -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AZION_PERSONAL_TOKEN Your Azion personal token.

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AZION_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
AZION_PAGE_SIZE The page size for the API request (Default: 50)
AZION_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
AZION_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
AZION_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Azure DNS

Configuration for Azure DNS.

  • Code: azuredns
  • Since: v4.13.0

Here is an example bash command using the Azure DNS provider:

### Using client secret

AZURE_CLIENT_ID=<your service principal client ID> \
AZURE_TENANT_ID=<your service principal tenant ID> \
AZURE_CLIENT_SECRET=<your service principal client secret> \
lego run --dns azuredns -d '*.example.com' -d example.com

### Using client certificate

AZURE_CLIENT_ID=<your service principal client ID> \
AZURE_TENANT_ID=<your service principal tenant ID> \
AZURE_CLIENT_CERTIFICATE_PATH=<your service principal certificate path> \
lego run --dns azuredns -d '*.example.com' -d example.com

### Using Azure CLI

az login \
lego run --dns azuredns -d '*.example.com' -d example.com

### Using Managed Identity (Azure VM)

AZURE_TENANT_ID=<your service principal tenant ID> \
AZURE_RESOURCE_GROUP=<your target zone resource group name> \
lego run --dns azuredns -d '*.example.com' -d example.com

### Using Managed Identity (Azure Arc)

AZURE_TENANT_ID=<your service principal tenant ID> \
IMDS_ENDPOINT=http://localhost:40342 \
IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token \
lego run --dns azuredns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
AZURE_CLIENT_CERTIFICATE_PATH Client certificate path
AZURE_CLIENT_ID Client ID
AZURE_CLIENT_SECRET Client secret
AZURE_TENANT_ID Tenant ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
AZURE_AUTH_METHOD Specify which authentication method to use
AZURE_AUTH_MSI_TIMEOUT Managed Identity timeout duration
AZURE_ENVIRONMENT Azure environment, one of: public, usgovernment, and china
AZURE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
AZURE_PRIVATE_ZONE Set to true to use Azure Private DNS Zones and not public
AZURE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
AZURE_RESOURCE_GROUP DNS zone resource group
AZURE_SERVICEDISCOVERY_FILTER Advanced ServiceDiscovery filter using Kusto query condition
AZURE_SUBSCRIPTION_ID DNS zone subscription ID
AZURE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)
AZURE_ZONE_NAME Zone name to use inside Azure DNS service to add the TXT record in

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

Several authentication methods can be used to authenticate against Azure DNS API.

Default Azure Credentials (default option)

Default Azure Credentials automatically detects in the following locations and prioritized in the following order:

  1. Environment variables for client secret: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET
  2. Environment variables for client certificate: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_CERTIFICATE_PATH
  3. Workload identity for resources hosted in Azure environment (see below)
  4. Shared credentials (defaults to ~/.azure folder), used by Azure CLI

Link:

Environment variables

Service Discovery

Lego automatically finds all visible Azure (private) DNS zones using Azure ResourceGraph query. This can be limited by specifying environment variable AZURE_SUBSCRIPTION_ID and/or AZURE_RESOURCE_GROUP which limits the DNS zones to only a subscription or to one resourceGroup.

Additionally environment variable AZURE_SERVICEDISCOVERY_FILTER can be used to filter DNS zones with an addition Kusto filter eg:

resources
| where type =~ "microsoft.network/dnszones"
| ${AZURE_SERVICEDISCOVERY_FILTER}
| project subscriptionId, resourceGroup, name

Client secret

The Azure Credentials can be configured using the following environment variables:

  • AZURE_CLIENT_ID = “Client ID”
  • AZURE_CLIENT_SECRET = “Client secret”
  • AZURE_TENANT_ID = “Tenant ID”

This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to env.

Client certificate

The Azure Credentials can be configured using the following environment variables:

  • AZURE_CLIENT_ID = “Client ID”
  • AZURE_CLIENT_CERTIFICATE_PATH = “Client certificate path”
  • AZURE_TENANT_ID = “Tenant ID”

This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to env.

Workload identity

Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials.

This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand.

Here is a summary of the steps to follow to use it :

  • create a ServiceAccount resource, add following annotations to reference the targeted Azure AD application registration : azure.workload.identity/client-id and azure.workload.identity/tenant-id.
  • on the Deployment resource you must reference the previous ServiceAccount and add the following label : azure.workload.identity/use: "true".
  • create a federated credentials of type Kubernetes accessing Azure resources, add the cluster issuer URL and add the namespace and name of your kubernetes service account.

Link :

This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to wli.

Azure Managed Identity

Azure Managed Identity (with Azure workload)

The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets.

Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. For this to work, the Managed Identity requires the Reader role on the target DNS Zone, and the DNS Zone Contributor on the relevant _acme-challenge TXT records.

For example, to allow a Managed Identity to create a certificate for “fw01.lab.example.com”, using Azure CLI:

export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
export AZURE_RESOURCE_GROUP="rg1"
export SERVICE_PRINCIPAL_ID="00000000-0000-0000-0000-000000000000"

export AZURE_DNS_ZONE="lab.example.com"
export AZ_HOSTNAME="fw01"
export AZ_RECORD_SET="_acme-challenge.${AZ_HOSTNAME}"

az role assignment create \
--assignee "${SERVICE_PRINCIPAL_ID}" \
--role "Reader" \
--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}"

az role assignment create \
--assignee "${SERVICE_PRINCIPAL_ID}" \
--role "DNS Zone Contributor" \
--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}/TXT/${AZ_RECORD_SET}"

A timeout wrapper is configured for this authentication method. The duration can be configured by setting the AZURE_AUTH_MSI_TIMEOUT. The default timeout is 2 seconds. This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to msi.

Azure Managed Identity (with Azure Arc)

The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure (such as on-prem virtual machines, or VMs in another cloud provider).

While the upstream azidentity SDK will try to automatically identify and use the Azure Arc metadata service, if you get azuredns: DefaultAzureCredential: failed to acquire a token. error messages, you may need to set the environment variables:

  • IMDS_ENDPOINT=http://localhost:40342
  • IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token

A timeout wrapper is configured for this authentication method. The duration can be configured by setting the AZURE_AUTH_MSI_TIMEOUT. The default timeout is 2 seconds. This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to msi.

Azure CLI

The Azure CLI is a command-line tool provided by Microsoft to interact with Azure resources. It provides an easy way to authenticate by simply running az login command. The generated token will be cached by default in the ~/.azure folder.

This authentication method can be specifically used by setting the AZURE_AUTH_METHOD environment variable to cli.

Open ID Connect

Open ID Connect is a mechanism that establish a trust relationship between a running environment and the Azure AD identity provider. It can be enabled by setting the AZURE_AUTH_METHOD environment variable to oidc.

Azure DevOps Pipelines

It can be enabled by setting the AZURE_AUTH_METHOD environment variable to pipeline.

More information

May 5, 2026

Baidu Cloud

Configuration for Baidu Cloud.

  • Code: baiducloud
  • Since: v4.23.0

Here is an example bash command using the Baidu Cloud provider:

BAIDUCLOUD_ACCESS_KEY_ID="xxx" \
BAIDUCLOUD_SECRET_ACCESS_KEY="yyy" \
lego run --dns baiducloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BAIDUCLOUD_ACCESS_KEY_ID Access key
BAIDUCLOUD_SECRET_ACCESS_KEY Secret access key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BAIDUCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BAIDUCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
BAIDUCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Beget.com

Configuration for Beget.com.

  • Code: beget
  • Since: v4.27.0

Here is an example bash command using the Beget.com provider:

BEGET_USERNAME=xxxxxx \
BEGET_PASSWORD=yyyyyy \
lego run --dns beget -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BEGET_PASSWORD API password
BEGET_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BEGET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BEGET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 30)
BEGET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
BEGET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Binary Lane

Configuration for Binary Lane.

  • Code: binarylane
  • Since: v4.26.0

Here is an example bash command using the Binary Lane provider:

BINARYLANE_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns binarylane -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BINARYLANE_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BINARYLANE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BINARYLANE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BINARYLANE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
BINARYLANE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Bindman

Configuration for Bindman.

  • Code: bindman
  • Since: v2.6.0

Here is an example bash command using the Bindman provider:

BINDMAN_MANAGER_ADDRESS=<your bindman manager address> \
lego run --dns bindman -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BINDMAN_MANAGER_ADDRESS The server URL, should have scheme, hostname, and port (if required) of the Bindman-DNS Manager server

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BINDMAN_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
BINDMAN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BINDMAN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Bluecat

Configuration for Bluecat.

  • Code: bluecat
  • Since: v0.5.0

Here is an example bash command using the Bluecat provider:

BLUECAT_PASSWORD=mypassword \
BLUECAT_DNS_VIEW=myview \
BLUECAT_USER_NAME=myusername \
BLUECAT_CONFIG_NAME=myconfig \
BLUECAT_SERVER_URL=https://bam.example.com \
BLUECAT_TTL=30 \
lego run --dns bluecat -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BLUECAT_CONFIG_NAME Configuration name
BLUECAT_DNS_VIEW External DNS View Name
BLUECAT_PASSWORD API password
BLUECAT_SERVER_URL The server URL, should have scheme, hostname, and port (if required) of the authoritative Bluecat BAM serve
BLUECAT_USER_NAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BLUECAT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BLUECAT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BLUECAT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
BLUECAT_SKIP_DEPLOY Skip deployments
BLUECAT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Bluecat v2

Configuration for Bluecat v2.

  • Code: bluecatv2
  • Since: v4.32.0

Here is an example bash command using the Bluecat v2 provider:

BLUECATV2_SERVER_URL="https://example.com" \
BLUECATV2_USERNAME="xxx" \
BLUECATV2_PASSWORD="yyy" \
BLUECATV2_CONFIG_NAME="myConfiguration" \
BLUECATV2_VIEW_NAME="myView" \
lego run --dns bluecatv2 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BLUECATV2_CONFIG_NAME Configuration name
BLUECATV2_PASSWORD API password
BLUECATV2_SERVER_URL The server URL: it should have a scheme, hostname, and port (if required) of the authoritative Bluecat BAM serve
BLUECATV2_USERNAME API username
BLUECATV2_VIEW_NAME DNS View Name

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BLUECATV2_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BLUECATV2_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BLUECATV2_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
BLUECATV2_SKIP_DEPLOY Skip quick deployments
BLUECATV2_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

BookMyName

Configuration for BookMyName.

  • Code: bookmyname
  • Since: v4.23.0

Here is an example bash command using the BookMyName provider:

BOOKMYNAME_USERNAME="xxx" \
BOOKMYNAME_PASSWORD="yyy" \
lego run --dns bookmyname -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BOOKMYNAME_PASSWORD Password
BOOKMYNAME_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BOOKMYNAME_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BOOKMYNAME_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BOOKMYNAME_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
BOOKMYNAME_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Bunny

Configuration for Bunny.

  • Code: bunny
  • Since: v4.11.0

Here is an example bash command using the Bunny provider:

BUNNY_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
lego run --dns bunny -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
BUNNY_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
BUNNY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
BUNNY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
BUNNY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
BUNNY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Checkdomain

Configuration for Checkdomain.

  • Code: checkdomain
  • Since: v3.3.0

Here is an example bash command using the Checkdomain provider:

CHECKDOMAIN_TOKEN=yoursecrettoken \
lego run --dns checkdomain -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CHECKDOMAIN_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CHECKDOMAIN_ENDPOINT API endpoint URL, defaults to https://api.checkdomain.de
CHECKDOMAIN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CHECKDOMAIN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 300)
CHECKDOMAIN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 7)
CHECKDOMAIN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Civo

Configuration for Civo.

  • Code: civo
  • Since: v4.9.0

Here is an example bash command using the Civo provider:

CIVO_TOKEN=xxxxxx \
lego run --dns civo -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CIVO_TOKEN Authentication token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CIVO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 30)
CIVO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
CIVO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Cloud.ru

Configuration for Cloud.ru.

  • Code: cloudru
  • Since: v4.14.0

Here is an example bash command using the Cloud.ru provider:

CLOUDRU_SERVICE_INSTANCE_ID=ppp \
CLOUDRU_KEY_ID=xxx \
CLOUDRU_SECRET=yyy \
lego run --dns cloudru -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CLOUDRU_KEY_ID Key ID (login)
CLOUDRU_SECRET Key Secret
CLOUDRU_SERVICE_INSTANCE_ID Service Instance ID (parentId)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CLOUDRU_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CLOUDRU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
CLOUDRU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
CLOUDRU_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 120)
CLOUDRU_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

CloudDNS

Configuration for CloudDNS.

  • Code: clouddns
  • Since: v3.6.0

Here is an example bash command using the CloudDNS provider:

CLOUDDNS_CLIENT_ID=bLsdFAks23429841238feb177a572aX \
CLOUDDNS_EMAIL=you@example.com \
CLOUDDNS_PASSWORD=b9841238feb177a84330f \
lego run --dns clouddns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CLOUDDNS_CLIENT_ID Client ID
CLOUDDNS_EMAIL Account email
CLOUDDNS_PASSWORD Account password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CLOUDDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CLOUDDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
CLOUDDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
CLOUDDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Cloudflare

Configuration for Cloudflare.

  • Code: cloudflare
  • Since: v0.3.0

Here is an example bash command using the Cloudflare provider:

CLOUDFLARE_EMAIL=you@example.com \
CLOUDFLARE_API_KEY=b9841238feb177a84330febba8a83208921177bffe733 \
lego run --dns cloudflare -d '*.example.com' -d example.com

# or

CLOUDFLARE_DNS_API_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz \
lego run --dns cloudflare -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CF_API_EMAIL Account email
CF_API_KEY API key
CF_DNS_API_TOKEN API token with DNS:Edit permission (since v3.1.0)
CF_ZONE_API_TOKEN API token with Zone:Read permission (since v3.1.0)
CLOUDFLARE_API_KEY Alias to CF_API_KEY
CLOUDFLARE_DNS_API_TOKEN Alias to CF_DNS_API_TOKEN
CLOUDFLARE_EMAIL Alias to CF_API_EMAIL
CLOUDFLARE_ZONE_API_TOKEN Alias to CF_ZONE_API_TOKEN

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CLOUDFLARE_BASE_URL API base URL (Default: https://api.cloudflare.com/client/v4)
CLOUDFLARE_HTTP_TIMEOUT API request timeout in seconds (Default: )
CLOUDFLARE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CLOUDFLARE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
CLOUDFLARE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

You may use CF_API_EMAIL and CF_API_KEY to authenticate, or CF_DNS_API_TOKEN, or CF_DNS_API_TOKEN and CF_ZONE_API_TOKEN.

API keys

If using API keys (CF_API_EMAIL and CF_API_KEY), the Global API Key needs to be used, not the Origin CA Key.

Please be aware, that this in principle allows Lego to read and change everything related to this account.

API tokens

With API tokens (CF_DNS_API_TOKEN, and optionally CF_ZONE_API_TOKEN), very specific access can be granted to your resources at Cloudflare. See this Cloudflare announcement for details.

The main resources Lego cares for are the DNS entries for your Zones. It also needs to resolve a domain name to an internal Zone ID in order to manipulate DNS entries.

Hence, you should create an API token with the following permissions:

  • Zone / Zone / Read
  • Zone / DNS / Edit

You also need to scope the access to all your domains for this to work. Then pass the API token as CF_DNS_API_TOKEN to Lego.

Alternatively, if you prefer a more strict set of privileges, you can split the access tokens:

  • Create one with Zone / Zone / Read permissions and scope it to all your zones or just the individual zone you need to edit. This is needed to resolve domain names to Zone IDs and can be shared among multiple Lego installations. Pass this API token as CF_ZONE_API_TOKEN to Lego.
  • Create another API token with Zone / DNS / Edit permissions and set the scope to the domains you want to manage with a single Lego installation. Pass this token as CF_DNS_API_TOKEN to Lego.
  • Repeat the previous step for each host you want to run Lego on.
  • It is possible to use the same api token for both variables if it is given Zone:Read and DNS:Edit permission for the zone.

This “paranoid” setup is mainly interesting for users who manage many zones/domains with a single Cloudflare account. It follows the principle of least privilege and limits the possible damage, should one of the hosts become compromised.

More information

May 5, 2026

ClouDNS

Configuration for ClouDNS.

  • Code: cloudns
  • Since: v2.3.0

Here is an example bash command using the ClouDNS provider:

CLOUDNS_AUTH_ID=xxxx \
CLOUDNS_AUTH_PASSWORD=yyyy \
lego run --dns cloudns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CLOUDNS_AUTH_ID The API user ID
CLOUDNS_AUTH_PASSWORD The password for API user ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CLOUDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CLOUDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
CLOUDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 180)
CLOUDNS_SUB_AUTH_ID The API sub user ID
CLOUDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ConoHa v2

Configuration for ConoHa v2.

  • Code: conoha
  • Since: v1.2.0

Here is an example bash command using the ConoHa v2 provider:

CONOHA_TENANT_ID=487727e3921d44e3bfe7ebb337bf085e \
CONOHA_API_USERNAME=xxxx \
CONOHA_API_PASSWORD=yyyy \
lego run --dns conoha -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CONOHA_API_PASSWORD The API password
CONOHA_API_USERNAME The API username
CONOHA_TENANT_ID Tenant ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CONOHA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CONOHA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CONOHA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CONOHA_REGION The region (Default: tyo1)
CONOHA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ConoHa v3

Configuration for ConoHa v3.

  • Code: conohav3
  • Since: v4.24.0

Here is an example bash command using the ConoHa v3 provider:

CONOHAV3_TENANT_ID=487727e3921d44e3bfe7ebb337bf085e \
CONOHAV3_API_USER_ID=xxxx \
CONOHAV3_API_PASSWORD=yyyy \
lego run --dns conohav3 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CONOHAV3_API_PASSWORD The API password
CONOHAV3_API_USER_ID The API user ID
CONOHAV3_TENANT_ID Tenant ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CONOHAV3_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CONOHAV3_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CONOHAV3_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CONOHAV3_REGION The region (Default: c3j1)
CONOHAV3_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Constellix

Configuration for Constellix.

  • Code: constellix
  • Since: v3.4.0

Here is an example bash command using the Constellix provider:

CONSTELLIX_API_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
CONSTELLIX_SECRET_KEY=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \
lego run --dns constellix -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CONSTELLIX_API_KEY User API key
CONSTELLIX_SECRET_KEY User secret key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CONSTELLIX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CONSTELLIX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
CONSTELLIX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CONSTELLIX_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Core-Networks

Configuration for Core-Networks.

  • Code: corenetworks
  • Since: v4.20.0

Here is an example bash command using the Core-Networks provider:

CORENETWORKS_LOGIN="xxxx" \
CORENETWORKS_PASSWORD="yyyy" \
lego run --dns corenetworks -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CORENETWORKS_LOGIN The username of the API account
CORENETWORKS_PASSWORD The password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CORENETWORKS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CORENETWORKS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CORENETWORKS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CORENETWORKS_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
CORENETWORKS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

CPanel/WHM

Configuration for CPanel/WHM.

  • Code: cpanel
  • Since: v4.16.0

Here is an example bash command using the CPanel/WHM provider:

### CPANEL (default)

CPANEL_USERNAME="yyyy" \
CPANEL_TOKEN="xxxx" \
CPANEL_BASE_URL="https://example.com:2083" \
lego run --dns cpanel -d '*.example.com' -d example.com

## WHM

CPANEL_MODE=whm \
CPANEL_USERNAME="yyyy" \
CPANEL_TOKEN="xxxx" \
CPANEL_BASE_URL="https://example.com:2087" \
lego run --dns cpanel -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CPANEL_BASE_URL API server URL
CPANEL_TOKEN API token
CPANEL_USERNAME username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CPANEL_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CPANEL_MODE use cpanel API or WHM API (Default: cpanel)
CPANEL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CPANEL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
CPANEL_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Curanet

Configuration for Curanet.

  • Code: curanet
  • Since: v5.0.0

Here is an example bash command using the Curanet provider:

CURANET_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns curanet -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CURANET_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CURANET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CURANET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CURANET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CURANET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Czechia

Configuration for Czechia.

  • Code: czechia
  • Since: v4.33.0

Here is an example bash command using the Czechia provider:

CZECHIA_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns czechia -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
CZECHIA_TOKEN Authorization token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
CZECHIA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
CZECHIA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
CZECHIA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
CZECHIA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DanDomain

Configuration for DanDomain.

  • Code: dandomain
  • Since: v5.0.0

Here is an example bash command using the DanDomain provider:

DANDOMAIN_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns dandomain -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DANDOMAIN_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DANDOMAIN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DANDOMAIN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DANDOMAIN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DANDOMAIN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DDnss (DynDNS Service)

Configuration for DDnss (DynDNS Service).

  • Code: ddnss
  • Since: v4.32.0

Here is an example bash command using the DDnss (DynDNS Service) provider:

DDNSS_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns ddnss -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DDNSS_KEY Update key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DDNSS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DDNSS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DDNSS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DDNSS_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
DDNSS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Derak Cloud

Configuration for Derak Cloud.

  • Code: derak
  • Since: v4.12.0

Here is an example bash command using the Derak Cloud provider:

DERAK_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns derak -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DERAK_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DERAK_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DERAK_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
DERAK_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
DERAK_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
DERAK_WEBSITE_ID Force the zone/website ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

May 5, 2026

deSEC.io

Configuration for deSEC.io.

  • Code: desec
  • Since: v3.7.0

Here is an example bash command using the deSEC.io provider:

DESEC_TOKEN=x-xxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns desec -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DESEC_TOKEN Domain token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DESEC_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DESEC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 4)
DESEC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
DESEC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Designate DNSaaS for Openstack

Configuration for Designate DNSaaS for Openstack.

  • Code: designate
  • Since: v2.2.0

Here is an example bash command using the Designate DNSaaS for Openstack provider:

# With a `clouds.yaml`
OS_CLOUD=my_openstack \
lego run --dns designate -d '*.example.com' -d example.com

# or

OS_AUTH_URL=https://openstack.example.org \
OS_REGION_NAME=RegionOne \
OS_PROJECT_ID=23d4522a987d4ab529f722a007c27846
OS_USERNAME=myuser \
OS_PASSWORD=passw0rd \
lego run --dns designate -d '*.example.com' -d example.com

# or

OS_AUTH_URL=https://openstack.example.org \
OS_REGION_NAME=RegionOne \
OS_AUTH_TYPE=v3applicationcredential \
OS_APPLICATION_CREDENTIAL_ID=imn74uq0or7dyzz20dwo1ytls4me8dry \
OS_APPLICATION_CREDENTIAL_SECRET=68FuSPSdQqkFQYH5X1OoriEIJOwyLtQ8QSqXZOc9XxFK1A9tzZT6He2PfPw0OMja \
lego run --dns designate -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OS_APPLICATION_CREDENTIAL_ID Application credential ID
OS_APPLICATION_CREDENTIAL_NAME Application credential name
OS_APPLICATION_CREDENTIAL_SECRET Application credential secret
OS_AUTH_URL Identity endpoint URL
OS_PASSWORD Password
OS_PROJECT_NAME Project name
OS_REGION_NAME Region name
OS_USERNAME Username
OS_USER_ID User ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DESIGNATE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
DESIGNATE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)
DESIGNATE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)
DESIGNATE_ZONE_NAME The zone name to use in the OpenStack Project to manage TXT records.
OS_PROJECT_ID Project ID
OS_TENANT_NAME Tenant name (deprecated see OS_PROJECT_NAME and OS_PROJECT_ID)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

There are three main ways of authenticating with Designate:

  1. The first one is by using the OS_CLOUD environment variable and a clouds.yaml file.
  2. The second one is using your username and password, via the OS_USERNAME, OS_PASSWORD and OS_PROJECT_NAME environment variables.
  3. The third one is by using an application credential, via the OS_APPLICATION_CREDENTIAL_* and OS_USER_ID environment variables.

For the username/password and application methods, the OS_AUTH_URL and OS_REGION_NAME environment variables are required.

For more information, you can read about the different methods of authentication with OpenStack in the Keystone’s documentation and the gophercloud documentation:

Public cloud providers with support for Designate:

More information

May 5, 2026

Digital Ocean

Configuration for Digital Ocean.

  • Code: digitalocean
  • Since: v0.3.0

Here is an example bash command using the Digital Ocean provider:

DO_AUTH_TOKEN=xxxxxx \
lego run --dns digitalocean -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DO_AUTH_TOKEN Authentication token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DO_API_URL The URL of the API
DO_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
DO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 30)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Dinahosting

Configuration for Dinahosting.

  • Code: dinahosting
  • Since: v5.0.0

Here is an example bash command using the Dinahosting provider:

DINAHOSTING_USERNAME="xxx" \
DINAHOSTING_PASSWORD="yyy" \
lego run --dns dinahosting -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DINAHOSTING_PASSWORD Password
DINAHOSTING_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DINAHOSTING_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DINAHOSTING_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DINAHOSTING_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DINAHOSTING_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DirectAdmin

Configuration for DirectAdmin.

  • Code: directadmin
  • Since: v4.18.0

Here is an example bash command using the DirectAdmin provider:

DIRECTADMIN_API_URL="http://example.com:2222" \
DIRECTADMIN_USERNAME=xxxx \
DIRECTADMIN_PASSWORD=yyy \
lego run --dns directadmin -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DIRECTADMIN_API_URL URL of the API
DIRECTADMIN_PASSWORD API password
DIRECTADMIN_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DIRECTADMIN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DIRECTADMIN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
DIRECTADMIN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DIRECTADMIN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 30)
DIRECTADMIN_ZONE_NAME Zone name used to add the TXT record

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DNS Made Easy

Configuration for DNS Made Easy.

  • Code: dnsmadeeasy
  • Since: v0.4.0

Here is an example bash command using the DNS Made Easy provider:

DNSMADEEASY_API_KEY=xxxxxx \
DNSMADEEASY_API_SECRET=yyyyy \
lego run --dns dnsmadeeasy -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSMADEEASY_API_KEY The API key
DNSMADEEASY_API_SECRET The API Secret key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSMADEEASY_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
DNSMADEEASY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSMADEEASY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSMADEEASY_SANDBOX Activate the sandbox (boolean)
DNSMADEEASY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DNS Update (RFC2136)

Configuration for DNS Update (RFC2136).

  • Code: dnsupdate
  • Since: v0.3.0

Here is an example bash command using the DNS Update (RFC2136) provider:

DNSUPDATE_NAMESERVER=127.0.0.1 \
DNSUPDATE_TSIG_KEY=example.com \
DNSUPDATE_TSIG_ALGORITHM=hmac-sha256. \
DNSUPDATE_TSIG_SECRET=YWJjZGVmZGdoaWprbG1ub3BxcnN0dXZ3eHl6MTIzNDU= \
lego run --dns dnsupdate -d '*.example.com' -d example.com

## ---

keyname=example.com; keyfile=example.com.key; tsig-keygen $keyname > $keyfile

DNSUPDATE_NAMESERVER=127.0.0.1 \
DNSUPDATE_TSIG_FILE="$keyfile" \
lego run --dns dnsupdate -d '*.example.com' -d example.com

## --- TSIG-GSS / RFC3645 / Kerberos

DNSUPDATE_NAMESERVER=127.0.0.1 \
DNSUPDATE_TSIG_ALGORITHM=gss-tsig. \
DNSUPDATE_TSIG_GSS_REALM=realm.example
DNSUPDATE_TSIG_GSS_USERNAME='xxx'
DNSUPDATE_TSIG_GSS_PASSWORD='yyy'
lego run --dns dnsupdate -d '*.example.com' -d example.com

## --- TSIG-GSS / RFC3645 / Kerberos (keytab)

DNSUPDATE_NAMESERVER="127.0.0.1" \
DNSUPDATE_TSIG_ALGORITHM=gss-tsig. \
DNSUPDATE_TSIG_GSS_REALM=realm.example \
DNSUPDATE_TSIG_GSS_USERNAME='xxx' \
DNSUPDATE_TSIG_GSS_KEYTAB_FILE="/path/to/my.keytab" \
lego run --dns dnsupdate -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSUPDATE_NAMESERVER Network address in the form “host” or “host:port”

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSUPDATE_DNS_TIMEOUT API request timeout in seconds (Default: 10)
DNSUPDATE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSUPDATE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSUPDATE_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
DNSUPDATE_TSIG_ALGORITHM TSIG algorithm. See miekg/dns#tsig.go for supported values. To disable TSIG authentication, leave the DNSUPDATE_TSIG_KEY or DNSUPDATE_TSIG_SECRET variables unset.
DNSUPDATE_TSIG_FILE Path to a key file generated by tsig-keygen
DNSUPDATE_TSIG_GSS_KEYTAB_FILE Path to Kerberos keytab file. The TSIG algorithm must be gss-tsig..
DNSUPDATE_TSIG_GSS_PASSWORD Kerberos password. The TSIG algorithm must be gss-tsig..
DNSUPDATE_TSIG_GSS_REALM Kerberos realm. The TSIG algorithm must be gss-tsig..
DNSUPDATE_TSIG_GSS_USERNAME Kerberos username. The TSIG algorithm must be gss-tsig..
DNSUPDATE_TSIG_KEY Name of the secret key as defined in DNS server configuration. To disable TSIG authentication, leave the DNSUPDATE_TSIG_KEY variable unset.
DNSUPDATE_TSIG_SECRET Secret key payload. To disable TSIG authentication, leave the DNSUPDATE_TSIG_SECRET variable unset.
DNSUPDATE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
DNSUPDATE_ZONES List of potential zones (separated by commas)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

TSIG-GSS / RFC3645 / Kerberos

To ease the usage of DNS Update in some environments, lego provides some aliases for RFC3645.

  • DNSUPDATE_RFC3645_REALM is an alias on DNSUPDATE_TSIG_GSS_REALM
  • DNSUPDATE_RFC3645_USERNAME is an alias on DNSUPDATE_TSIG_GSS_USERNAME
  • DNSUPDATE_RFC3645_PASSWORD is an alias on DNSUPDATE_TSIG_GSS_PASSWORD
  • DNSUPDATE_RFC3645_KEYTAB_FILE is an alias on DNSUPDATE_TSIG_GSS_KEYTAB_FILE

Examples

# Using password

DNSUPDATE_NAMESERVER=127.0.0.1 \
DNSUPDATE_TSIG_ALGORITHM=gss-tsig. \
DNSUPDATE_RFC3645_REALM=realm.example
DNSUPDATE_RFC3645_USERNAME='xxx'
DNSUPDATE_RFC3645_PASSWORD='yyy'
lego run --dns dnsupdate -d '*.example.com' -d example.com
# Using a keytab file.

DNSUPDATE_NAMESERVER="127.0.0.1" \
DNSUPDATE_TSIG_ALGORITHM=gss-tsig. \
DNSUPDATE_RFC3645_REALM=realm.example \
DNSUPDATE_RFC3645_USERNAME='xxx' \
DNSUPDATE_RFC3645_KEYTAB_FILE="/path/to/my.keytab" \
lego run --dns dnsupdate -d '*.example.com' -d example.com

More information

May 5, 2026

dns.la

Configuration for dns.la.

  • Code: dnsla
  • Since: v5.0.0

Here is an example bash command using the dns.la provider:

DNSLA_API_SECRET="xxx" \
DNSLA_API_SECRET="yyy" \
lego run --dns dnsla -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSLA_API_ID API ID
DNSLA_API_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSLA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNSLA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSLA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSLA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DNS.services

Configuration for DNS.services.

  • Code: dnsservices
  • Since: v5.0.0

Here is an example bash command using the DNS.services provider:

DNSSERVICES_USERNAME="xxxxxxxxxxxxxxxxxxxxx" \
DNSSERVICES_PASSWORD="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns dnsservices -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSSERVICES_PASSWORD Password
DNSSERVICES_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSSERVICES_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNSSERVICES_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSSERVICES_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSSERVICES_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DNScale

Configuration for DNScale.

  • Code: dnscale
  • Since: v5.0.0

Here is an example bash command using the DNScale provider:

DNSCALE_API_TOKEN="xxx" \
lego run --dns dnscale -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSCALE_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSCALE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNSCALE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSCALE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSCALE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DNSExit

Configuration for DNSExit.

  • Code: dnsexit
  • Since: v4.32.0

Here is an example bash command using the DNSExit provider:

DNSEXIT_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns dnsexit -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSEXIT_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSEXIT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNSEXIT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
DNSEXIT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
DNSEXIT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

dnsHome.de

Configuration for dnsHome.de.

  • Code: dnshomede
  • Since: v4.10.0

Here is an example bash command using the dnsHome.de provider:

DNSHOMEDE_CREDENTIALS=example.org:password \
lego run --dns dnshomede -d '*.example.com' -d example.com

DNSHOMEDE_CREDENTIALS=my.example.org:password1,demo.example.org:password2 \
lego run --dns dnshomede -d my.example.org -d demo.example.org

Credentials

Environment Variable Name Description
DNSHOMEDE_CREDENTIALS Comma-separated list of domain:password credential pairs

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSHOMEDE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DNSHOMEDE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 1200)
DNSHOMEDE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 2)
DNSHOMEDE_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

May 5, 2026

DNSimple

Configuration for DNSimple.

  • Code: dnsimple
  • Since: v0.3.0

Here is an example bash command using the DNSimple provider:

DNSIMPLE_OAUTH_TOKEN=1234567890abcdefghijklmnopqrstuvwxyz \
lego run --dns dnsimple -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DNSIMPLE_OAUTH_TOKEN OAuth token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DNSIMPLE_BASE_URL API endpoint URL
DNSIMPLE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DNSIMPLE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DNSIMPLE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

DNSIMPLE_BASE_URL is optional and must be set to production (https://api.dnsimple.com). if DNSIMPLE_BASE_URL is not defined or empty, the production URL is used by default.

While you can manage DNS records in the DNSimple Sandbox environment, DNS records will not resolve, and you will not be able to satisfy the ACME DNS challenge.

To authenticate you need to provide a valid API token. HTTP Basic Authentication is intentionally not supported.

API tokens

You can generate a new API token from your account page. Only Account API tokens are supported, if you try to use a User API token you will receive an error message.

More information

May 5, 2026

Domain Offensive (do.de)

Configuration for Domain Offensive (do.de).

  • Code: dode
  • Since: v2.4.0

Here is an example bash command using the Domain Offensive (do.de) provider:

DODE_TOKEN=xxxxxx \
lego run --dns dode -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DODE_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DODE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DODE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DODE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DODE_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Domeneshop

Configuration for Domeneshop.

  • Code: domeneshop
  • Since: v4.3.0

Here is an example bash command using the Domeneshop provider:

DOMENESHOP_API_TOKEN=<token> \
DOMENESHOP_API_SECRET=<secret> \
lego run --dns domeneshop -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DOMENESHOP_API_SECRET API secret
DOMENESHOP_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DOMENESHOP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DOMENESHOP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
DOMENESHOP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

API credentials

Visit the following page for information on how to create API credentials with Domeneshop:

https://api.domeneshop.no/docs/#section/Authentication

More information

May 5, 2026

DreamHost

Configuration for DreamHost.

  • Code: dreamhost
  • Since: v1.1.0

Here is an example bash command using the DreamHost provider:

DREAMHOST_API_KEY="YOURAPIKEY" \
lego run --dns dreamhost -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DREAMHOST_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DREAMHOST_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DREAMHOST_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 60)
DREAMHOST_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Duck DNS

Configuration for Duck DNS.

  • Code: duckdns
  • Since: v0.5.0

Here is an example bash command using the Duck DNS provider:

DUCKDNS_TOKEN=xxxxxx \
lego run --dns duckdns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DUCKDNS_TOKEN Account token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DUCKDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DUCKDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DUCKDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DUCKDNS_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Dyn

Configuration for Dyn.

  • Code: dyn
  • Since: v0.3.0

Here is an example bash command using the Dyn provider:

DYN_CUSTOMER_NAME=xxxxxx \
DYN_USER_NAME=yyyyy \
DYN_PASSWORD=zzzz \
lego run --dns dyn -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DYN_CUSTOMER_NAME Customer name
DYN_PASSWORD Password
DYN_USER_NAME User name

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DYN_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
DYN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DYN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
DYN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

DynDnsFree.de

Configuration for DynDnsFree.de.

  • Code: dyndnsfree
  • Since: v4.23.0

Here is an example bash command using the DynDnsFree.de provider:

DYNDNSFREE_USERNAME="xxx" \
DYNDNSFREE_PASSWORD="yyy" \
lego run --dns dyndnsfree -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DYNDNSFREE_PASSWORD Password
DYNDNSFREE_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DYNDNSFREE_HTTP_TIMEOUT Request timeout in seconds (Default: 30)
DYNDNSFREE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
DYNDNSFREE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Dynu

Configuration for Dynu.

  • Code: dynu
  • Since: v3.5.0

Here is an example bash command using the Dynu provider:

DYNU_API_KEY=1234567890abcdefghijklmnopqrstuvwxyz \
lego run --dns dynu -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
DYNU_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
DYNU_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
DYNU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
DYNU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 180)
DYNU_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

EasyDNS

Configuration for EasyDNS.

  • Code: easydns
  • Since: v2.6.0

Here is an example bash command using the EasyDNS provider:

EASYDNS_TOKEN=xxx \
EASYDNS_KEY=yyy \
lego run --dns easydns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EASYDNS_KEY API Key
EASYDNS_TOKEN API Token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EASYDNS_ENDPOINT The endpoint URL of the API Server
EASYDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EASYDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EASYDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EASYDNS_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
EASYDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

To test with the sandbox environment set EASYDNS_ENDPOINT=https://sandbox.rest.easydns.net

More information

May 5, 2026

EdgeCenter

Configuration for EdgeCenter.

  • Code: edgecenter
  • Since: v4.29.0

Here is an example bash command using the EdgeCenter provider:

EDGECENTER_PERMANENT_API_TOKEN=xxxxx \
lego run --dns edgecenter -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EDGECENTER_PERMANENT_API_TOKEN Permanent API token (https://edgecenter.ru/blog/permanent-api-token-explained/)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EDGECENTER_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
EDGECENTER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
EDGECENTER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 360)
EDGECENTER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Efficient IP

Configuration for Efficient IP.

  • Code: efficientip
  • Since: v4.13.0

Here is an example bash command using the Efficient IP provider:

EFFICIENTIP_USERNAME="user" \
EFFICIENTIP_PASSWORD="secret" \
EFFICIENTIP_HOSTNAME="ipam.example.org" \
EFFICIENTIP_DNS_NAME="dns.smart" \
lego run --dns efficientip -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EFFICIENTIP_DNS_NAME DNS name (ex: dns.smart)
EFFICIENTIP_HOSTNAME Hostname (ex: foo.example.com)
EFFICIENTIP_PASSWORD Password
EFFICIENTIP_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EFFICIENTIP_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
EFFICIENTIP_INSECURE_SKIP_VERIFY Whether or not to verify EfficientIP API certificate
EFFICIENTIP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EFFICIENTIP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EFFICIENTIP_VIEW_NAME View name (ex: external)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

May 5, 2026

Epik

Configuration for Epik.

  • Code: epik
  • Since: v4.5.0

Here is an example bash command using the Epik provider:

EPIK_SIGNATURE=xxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns epik -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EPIK_SIGNATURE Epik API signature (https://registrar.epik.com/account/api-settings/)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EPIK_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EPIK_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EPIK_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EPIK_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

EuroDNS

Configuration for EuroDNS.

  • Code: eurodns
  • Since: v4.33.0

Here is an example bash command using the EuroDNS provider:

EURODNS_APP_ID="xxx" \
EURODNS_API_KEY="yyy" \
lego run --dns eurodns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EURODNS_API_KEY API key
EURODNS_APP_ID Application ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EURODNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EURODNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EURODNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EURODNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

EUserv

Configuration for EUserv.

  • Code: euserv
  • Since: v5.0.0

Here is an example bash command using the EUserv provider:

EUSERV_EMAIL="user@example.com" \
EUSERV_PASSWORD="xxx" \
EUSERV_ORDER_ID="yyy" \
lego run --email you@example.com --dns euserv -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EUSERV_EMAIL The customer email address. You can also use the customer id instead.
EUSERV_ORDER_ID The order ID of the API contract that you want to use for this login session.
EUSERV_PASSWORD The customer account password.

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EUSERV_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EUSERV_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EUSERV_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EUSERV_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Excedo

Configuration for Excedo.

  • Code: excedo
  • Since: v4.33.0

Here is an example bash command using the Excedo provider:

EXCEDO_API_KEY=your-api-key \
EXCEDO_API_URL=your-base-url \
lego run --dns excedo -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EXCEDO_API_KEY API key
EXCEDO_API_URL API base URL

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EXCEDO_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EXCEDO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
EXCEDO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
EXCEDO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Exoscale

Configuration for Exoscale.

  • Code: exoscale
  • Since: v0.4.0

Here is an example bash command using the Exoscale provider:

EXOSCALE_API_KEY=abcdefghijklmnopqrstuvwx \
EXOSCALE_API_SECRET=xxxxxxx \
lego run --dns exoscale -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EXOSCALE_API_KEY API key
EXOSCALE_API_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EXOSCALE_ENDPOINT API endpoint URL
EXOSCALE_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
EXOSCALE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
EXOSCALE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
EXOSCALE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

External program

Solving the DNS-01 challenge using an external program.

  • Code: exec
  • Since: v0.5.0

Here is an example bash command using the External program provider:

EXEC_PATH=/the/path/to/myscript.sh \
lego run --dns exec -d '*.example.com' -d example.com

Base Configuration

Environment Variable Name Description
EXEC_MODE RAW, none
EXEC_PATH The path of the the external program.

Additional Configuration

Environment Variable Name Description
EXEC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 3).
EXEC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60).
EXEC_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60).

Description

The file name of the external program is specified in the environment variable EXEC_PATH.

When it is run by lego, three command-line parameters are passed to it: The action (“present” or “cleanup”), the fully-qualified domain name and the value for the record.

For example, requesting a certificate for the domain ‘my.example.org’ can be achieved by calling lego as follows:

EXEC_PATH=./update-dns.sh \
lego --dns exec --d my.example.org run

It will then call the program ‘./update-dns.sh’ with like this:

./update-dns.sh "present" "_acme-challenge.my.example.org." "MsijOYZxqyjGnFGwhjrhfg-Xgbl5r68WPda0J9EgqqI"

The program then needs to make sure the record is inserted. When it returns an error via a non-zero exit code, lego aborts.

When the record is to be removed again, the program is called with the first command-line parameter set to cleanup instead of present.

If you want to use the raw domain, token, and keyAuth values with your program, you can set EXEC_MODE=RAW:

EXEC_MODE=RAW \
EXEC_PATH=./update-dns.sh \
lego --dns exec -d my.example.org run

It will then call the program ./update-dns.sh like this:

./update-dns.sh "present" "--" "my.example.org." "some-token" "KxAy-J3NwUmg9ZQuM-gP_Mq1nStaYSaP9tYQs5_-YsE.ksT-qywTd8058G-SHHWA3RAN72Pr0yWtPYmmY5UBpQ8"

Commands

Note

The -- is because the token MAY start with a -, and the called program may try and interpret a - as indicating a flag. In the case of urfave, which is commonly used, you can use the -- delimiter to specify the start of positional arguments, and handle such a string safely.

Present

Mode Command
default myprogram present <FQDN> <record>
RAW myprogram present -- <domain> <token> <key_auth>

Cleanup

Mode Command
default myprogram cleanup <FQDN> <record>
RAW myprogram cleanup -- <domain> <token> <key_auth>
May 5, 2026

F5 XC

Configuration for F5 XC.

  • Code: f5xc
  • Since: v4.23.0

Here is an example bash command using the F5 XC provider:

F5XC_API_TOKEN="xxx" \
F5XC_TENANT_NAME="yyy" \
F5XC_GROUP_NAME="zzz" \
lego run --dns f5xc -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
F5XC_API_TOKEN API token
F5XC_GROUP_NAME Group name
F5XC_TENANT_NAME XC Tenant shortname

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
F5XC_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
F5XC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
F5XC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
F5XC_SERVER Server domain (Default: console.ves.volterra.io)
F5XC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Fornex

Configuration for Fornex.

  • Code: fornex
  • Since: v5.0.0

Here is an example bash command using the Fornex provider:

FORNEX_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns fornex -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
FORNEX_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
FORNEX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
FORNEX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
FORNEX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
FORNEX_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

freemyip.com

Configuration for freemyip.com.

  • Code: freemyip
  • Since: v4.5.0

Here is an example bash command using the freemyip.com provider:

FREEMYIP_TOKEN=xxxxxx \
lego run --dns freemyip -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
FREEMYIP_TOKEN Account token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
FREEMYIP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
FREEMYIP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
FREEMYIP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
FREEMYIP_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
FREEMYIP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

FusionLayer NameSurfer

Configuration for FusionLayer NameSurfer.

  • Code: namesurfer
  • Since: v4.32.0

Here is an example bash command using the FusionLayer NameSurfer provider:

NAMESURFER_BASE_URL=https://foo.example.com:8443/API/NSService_10 \
NAMESURFER_API_KEY=xxx \
NAMESURFER_API_SECRET=yyy \
lego run --dns namesurfer -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NAMESURFER_API_KEY API key name
NAMESURFER_API_SECRET API secret
NAMESURFER_BASE_URL The base URL of NameSurfer API (jsonrpc10) endpoint URL (e.g., https://foo.example.com:8443/API/NSService_10)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NAMESURFER_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NAMESURFER_INSECURE_SKIP_VERIFY Whether to verify the API certificate
NAMESURFER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NAMESURFER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
NAMESURFER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)
NAMESURFER_VIEW DNS view name (optional, default: empty string)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

G-Core

Configuration for G-Core.

  • Code: gcore
  • Since: v4.5.0

Here is an example bash command using the G-Core provider:

GCORE_PERMANENT_API_TOKEN=xxxxx \
lego run --dns gcore -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GCORE_PERMANENT_API_TOKEN Permanent API token (https://gcore.com/blog/permanent-api-token-explained/)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GCORE_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
GCORE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
GCORE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 360)
GCORE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Gandi

Configuration for Gandi.

  • Code: gandi
  • Since: v0.3.0

Here is an example bash command using the Gandi provider:

GANDI_API_KEY=abcdefghijklmnopqrstuvwx \
lego run --dns gandi -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GANDI_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GANDI_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
GANDI_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 60)
GANDI_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 2400)
GANDI_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Gandi Live DNS (v5)

Configuration for Gandi Live DNS (v5).

  • Code: gandiv5
  • Since: v0.5.0

Here is an example bash command using the Gandi Live DNS (v5) provider:

GANDIV5_PERSONAL_ACCESS_TOKEN=abcdefghijklmnopqrstuvwx \
lego run --dns gandiv5 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GANDIV5_API_KEY API key (Deprecated)
GANDIV5_PERSONAL_ACCESS_TOKEN Personal Access Token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GANDIV5_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
GANDIV5_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
GANDIV5_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 1200)
GANDIV5_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Gehirn

Configuration for Gehirn.

  • Code: gehirn
  • Since: v5.0.0

Here is an example bash command using the Gehirn provider:

GEHIRN_TOKEN_ID="xxx" \
GEHIRN_TOKEN_SECRET="xxx" \
lego run --dns gehirn -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GEHIRN_TOKEN_ID Token ID
GEHIRN_TOKEN_SECRET Token secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GEHIRN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
GEHIRN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
GEHIRN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
GEHIRN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Gigahost.no

Configuration for Gigahost.no.

  • Code: gigahostno
  • Since: v4.29.0

Here is an example bash command using the Gigahost.no provider:

GIGAHOSTNO_USERNAME="xxxxxxxxxxxxxxxxxxxxx" \
GIGAHOSTNO_PASSWORD="yyyyyyyyyyyyyyyyyyyyy" \
lego run --dns gigahostno -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GIGAHOSTNO_PASSWORD Password
GIGAHOSTNO_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GIGAHOSTNO_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
GIGAHOSTNO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
GIGAHOSTNO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
GIGAHOSTNO_SECRET TOTP secret
GIGAHOSTNO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Glesys

Configuration for Glesys.

  • Code: glesys
  • Since: v0.5.0

Here is an example bash command using the Glesys provider:

GLESYS_API_USER=xxxxx \
GLESYS_API_KEY=yyyyy \
lego run --dns glesys -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GLESYS_API_KEY API key
GLESYS_API_USER API user

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GLESYS_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
GLESYS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
GLESYS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 1200)
GLESYS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Gname

Configuration for Gname.

  • Code: gname
  • Since: v5.0.0

Here is an example bash command using the Gname provider:

GNAME_APP_ID="xxx" \
GNAME_APP_KEY="yyy" \
lego run --dns gname -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GNAME_APP_ID App ID
GNAME_APP_KEY App key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GNAME_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
GNAME_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
GNAME_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
GNAME_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Go Daddy

Configuration for Go Daddy.

  • Code: godaddy
  • Since: v0.5.0

Here is an example bash command using the Go Daddy provider:

GODADDY_API_KEY=xxxxxxxx \
GODADDY_API_SECRET=yyyyyyyy \
lego run --dns godaddy -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GODADDY_API_KEY API key
GODADDY_API_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GODADDY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
GODADDY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
GODADDY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
GODADDY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

GoDaddy has recently (2024-04) updated the account requirements to access parts of their production Domains API:

  • Availability API: Limited to accounts with 50 or more domains.
  • Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.

https://community.letsencrypt.org/t/getting-unauthorized-url-error-while-trying-to-get-cert-for-subdomains/217329/12

More information

May 5, 2026

Google Cloud

Configuration for Google Cloud.

  • Code: gcloud
  • Since: v0.3.0

Here is an example bash command using the Google Cloud provider:

# Using a service account file
GCE_PROJECT="gc-project-id" \
GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
lego run --dns gcloud -d '*.example.com' -d example.com

# Using default credentials with impersonation
GCE_PROJECT="gc-project-id" \
GCE_IMPERSONATE_SERVICE_ACCOUNT="target-sa@gc-project-id.iam.gserviceaccount.com" \
lego run --dns gcloud -d '*.example.com' -d example.com

# Using service account key with impersonation
GCE_PROJECT="gc-project-id" \
GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
GCE_IMPERSONATE_SERVICE_ACCOUNT="target-sa@gc-project-id.iam.gserviceaccount.com" \
lego run --dns gcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
Application Default Credentials Documentation
GCE_PROJECT Project name (by default, the project name is auto-detected by using the metadata service)
GCE_SERVICE_ACCOUNT Account
GCE_SERVICE_ACCOUNT_FILE Account file path

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GCE_ALLOW_PRIVATE_ZONE Allows requested domain to be in private DNS zone, works only with a private ACME server (by default: false)
GCE_IMPERSONATE_SERVICE_ACCOUNT Service account email to impersonate
GCE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
GCE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 180)
GCE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
GCE_ZONE_ID Allows to skip the automatic detection of the zone

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Supports service account impersonation to access Google Cloud DNS resources across different projects or with restricted permissions.

When using impersonation, the source service account must have:

  1. The “Service Account Token Creator” role on the source service account
  2. The “https://www.googleapis.com/auth/cloud-platform" scope

More information

May 5, 2026

Gravity

Configuration for Gravity.

  • Code: gravity
  • Since: v4.30.0

Here is an example bash command using the Gravity provider:

GRAVITY_SERVER_URL="https://example.org:1234" \
GRAVITY_USERNAME="xxxxxxxxxxxxxxxxxxxxx" \
GRAVITY_PASSWORD="yyyyyyyyyyyyyyyyyyyyy" \
lego run --dns gravity -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
GRAVITY_PASSWORD Password
GRAVITY_SERVER_URL URL of the server
GRAVITY_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
GRAVITY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
GRAVITY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
GRAVITY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
GRAVITY_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 1)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hetzner

Configuration for Hetzner.

  • Code: hetzner
  • Since: v3.7.0

Here is an example bash command using the Hetzner provider:

HETZNER_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns hetzner -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HETZNER_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HETZNER_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HETZNER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HETZNER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HETZNER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hosting.de

Configuration for Hosting.de.

  • Code: hostingde
  • Since: v1.1.0

Here is an example bash command using the Hosting.de provider:

HOSTINGDE_API_KEY=xxxxxxxx \
lego run --dns hostingde -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HOSTINGDE_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HOSTINGDE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HOSTINGDE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HOSTINGDE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
HOSTINGDE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
HOSTINGDE_ZONE_NAME Zone name in ACE format

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hosting.nl

Configuration for Hosting.nl.

  • Code: hostingnl
  • Since: v4.30.0

Here is an example bash command using the Hosting.nl provider:

HOSTINGNL_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns hostingnl -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HOSTINGNL_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HOSTINGNL_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
HOSTINGNL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HOSTINGNL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
HOSTINGNL_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hostinger

Configuration for Hostinger.

  • Code: hostinger
  • Since: v4.27.0

Here is an example bash command using the Hostinger provider:

HOSTINGER_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns hostinger -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HOSTINGER_API_TOKEN API Token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HOSTINGER_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HOSTINGER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HOSTINGER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HOSTINGER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hosttech

Configuration for Hosttech.

  • Code: hosttech
  • Since: v4.5.0

Here is an example bash command using the Hosttech provider:

HOSTTECH_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns hosttech -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HOSTTECH_API_KEY API login
HOSTTECH_PASSWORD API password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HOSTTECH_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HOSTTECH_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HOSTTECH_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HOSTTECH_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

HostUp

Configuration for HostUp.

  • Code: hostup
  • Since: v5.0.0

Here is an example bash command using the HostUp provider:

HOSTUP_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns hostup -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HOSTUP_API_KEY API token (required scopes: read:dns, write:dns, read:domains)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HOSTUP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HOSTUP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HOSTUP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HOSTUP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 7, 2026

HTTP request

Configuration for HTTP request.

  • Code: httpreq
  • Since: v2.0.0

Here is an example bash command using the HTTP request provider:

HTTPREQ_ENDPOINT=http://my.server.com:9090 \
lego run --dns httpreq -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HTTPREQ_ENDPOINT The URL of the server
HTTPREQ_MODE RAW, none

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HTTPREQ_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HTTPREQ_PASSWORD Basic authentication password
HTTPREQ_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HTTPREQ_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HTTPREQ_USERNAME Basic authentication username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

The server must provide:

  • POST /present
  • POST /cleanup

The URL of the server must be defined by HTTPREQ_ENDPOINT.

Mode

There are 2 modes (HTTPREQ_MODE):

  • default mode:
{
  "fqdn": "_acme-challenge.domain.",
  "value": "LHDhK3oGRvkiefQnx7OOczTY5Tic_xZ6HcMOc_gmtoM"
}
  • RAW
{
  "domain": "domain",
  "token": "token",
  "keyAuth": "key"
}

Authentication

Basic authentication (optional) can be set with some environment variables:

  • HTTPREQ_USERNAME and HTTPREQ_PASSWORD
  • both values must be set, otherwise basic authentication is not defined.
May 5, 2026

http.net

Configuration for http.net.

  • Code: httpnet
  • Since: v4.15.0

Here is an example bash command using the http.net provider:

HTTPNET_API_KEY=xxxxxxxx \
lego run --dns httpnet -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HTTPNET_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HTTPNET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HTTPNET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HTTPNET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
HTTPNET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
HTTPNET_ZONE_NAME Zone name in ACE format

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Huawei Cloud

Configuration for Huawei Cloud.

  • Code: huaweicloud
  • Since: v4.19

Here is an example bash command using the Huawei Cloud provider:

HUAWEICLOUD_ACCESS_KEY_ID=your-access-key-id \
HUAWEICLOUD_SECRET_ACCESS_KEY=your-secret-access-key \
HUAWEICLOUD_REGION=cn-south-1 \
lego run --dns huaweicloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
HUAWEICLOUD_ACCESS_KEY_ID Access key ID
HUAWEICLOUD_REGION Region
HUAWEICLOUD_SECRET_ACCESS_KEY Access Key secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HUAWEICLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HUAWEICLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HUAWEICLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
HUAWEICLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Hurricane Electric DNS

Configuration for Hurricane Electric DNS.

  • Code: hurricane
  • Since: v4.3.0

Here is an example bash command using the Hurricane Electric DNS provider:

HURRICANE_TOKENS=example.org:token \
lego run --dns hurricane -d '*.example.com' -d example.com

HURRICANE_TOKENS=my.example.org:token1,demo.example.org:token2 \
lego run --dns hurricane -d my.example.org -d demo.example.org

Credentials

Environment Variable Name Description
HURRICANE_TOKENS TXT record names and tokens

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
HURRICANE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HURRICANE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
HURRICANE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation (Default: 300)
HURRICANE_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Before using lego to request a certificate for a given domain or wildcard (such as my.example.org or *.my.example.org), create a TXT record named _acme-challenge.my.example.org, and enable dynamic updates on it. Generate a token for each URL with Hurricane Electric’s UI, and copy it down. Stick to alphanumeric tokens for greatest reliability.

To authenticate with the Hurricane Electric API, add each record name/token pair you want to update to the HURRICANE_TOKENS environment variable, as shown in the examples. Record names (without the _acme-challenge. component) and their tokens are separated with colons, while the credential pairs are concatenated into a comma-separated list, like so:

HURRICANE_TOKENS=my.example.org:token1,demo.example.org:token2

If you are issuing both a wildcard certificate and a standard certificate for a given subdomain, you should not have repeat entries for that name, as both will use the same credential.

HURRICANE_TOKENS=example.org:token

More information

May 5, 2026

HyperOne

Configuration for HyperOne.

  • Code: hyperone
  • Since: v3.9.0

Here is an example bash command using the HyperOne provider:

lego run --dns hyperone -d '*.example.com' -d example.com

Additional Configuration

Environment Variable Name Description
HYPERONE_API_URL Allows to pass custom API Endpoint to be used in the challenge (default https://api.hyperone.com/v2)
HYPERONE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
HYPERONE_LOCATION_ID Specifies location (region) to be used in API calls. (default pl-waw-1)
HYPERONE_PASSPORT_LOCATION Allows to pass custom passport file location (default ~/.h1/passport.json)
HYPERONE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 60)
HYPERONE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 2)
HYPERONE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

Default configuration does not require any additional environment variables, just a passport file in ~/.h1/passport.json location.

Generating passport file using H1 CLI

To use this application you have to generate passport file for sa:

h1 iam project sa credential generate --name my-passport --project <project ID> --sa <sa ID> --passport-output-file ~/.h1/passport.json

Required permissions

The application requires following permissions:

  • dns/zone/list
  • dns/zone.recordset/list
  • dns/zone.recordset/create
  • dns/zone.recordset/delete
  • dns/zone.record/create
  • dns/zone.record/list
  • dns/zone.record/delete

All required permissions are available via platform role tool.lego.

More information

May 5, 2026

IBM Cloud (SoftLayer)

Configuration for IBM Cloud (SoftLayer).

  • Code: ibmcloud
  • Since: v4.5.0

Here is an example bash command using the IBM Cloud (SoftLayer) provider:

SOFTLAYER_USERNAME=xxxxx \
SOFTLAYER_API_KEY=yyyyy \
lego run --dns ibmcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SOFTLAYER_API_KEY Classic Infrastructure API key
SOFTLAYER_USERNAME Username (IBM Cloud is {accountID}_{emailAddress})

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SOFTLAYER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SOFTLAYER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SOFTLAYER_TIMEOUT API request timeout in seconds (Default: 30)
SOFTLAYER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

IIJ DNS Platform Service

Configuration for IIJ DNS Platform Service.

  • Code: iijdpf
  • Since: v4.7.0

Here is an example bash command using the IIJ DNS Platform Service provider:

IIJ_DPF_API_TOKEN=xxxxxxxx \
IIJ_DPF_DPM_SERVICE_CODE=yyyyyy \
lego run --dns iijdpf -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
IIJ_DPF_API_TOKEN API token
IIJ_DPF_DPM_SERVICE_CODE IIJ Managed DNS Service’s service code

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
IIJ_DPF_API_ENDPOINT API endpoint URL, defaults to https://api.dns-platform.jp/dpf/v1
IIJ_DPF_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
IIJ_DPF_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 660)
IIJ_DPF_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Infoblox

Configuration for Infoblox.

  • Code: infoblox
  • Since: v4.4.0

Here is an example bash command using the Infoblox provider:

INFOBLOX_USERNAME=api-user-529 \
INFOBLOX_PASSWORD=b9841238feb177a84330febba8a83208921177bffe733 \
INFOBLOX_HOST=infoblox.example.org
lego run --dns infoblox -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
INFOBLOX_HOST Host URI
INFOBLOX_PASSWORD Account Password
INFOBLOX_USERNAME Account Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
INFOBLOX_CA_CERTIFICATE The path to the CA certificate (PEM encoded)
INFOBLOX_DNS_VIEW The view for the TXT records (Default: External)
INFOBLOX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
INFOBLOX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
INFOBLOX_PORT The port for the infoblox grid manager (Default: 443)
INFOBLOX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
INFOBLOX_SSL_VERIFY Whether or not to verify the TLS certificate (Default: true)
INFOBLOX_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
INFOBLOX_WAPI_VERSION The version of WAPI being used (Default: 2.11)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

When creating an API’s user ensure it has the proper permissions for the view you are working with.

More information

May 5, 2026

Infomaniak

Configuration for Infomaniak.

  • Code: infomaniak
  • Since: v4.1.0

Here is an example bash command using the Infomaniak provider:

INFOMANIAK_ACCESS_TOKEN=1234567898765432 \
lego run --dns infomaniak -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
INFOMANIAK_ACCESS_TOKEN Access token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
INFOMANIAK_ENDPOINT https://api.infomaniak.com
INFOMANIAK_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
INFOMANIAK_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
INFOMANIAK_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
INFOMANIAK_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Access token

Access token can be created at the url https://manager.infomaniak.com/v3/infomaniak-api. You will need domain scope.

More information

May 5, 2026

Internet.bs

Configuration for Internet.bs.

  • Code: internetbs
  • Since: v4.5.0

Here is an example bash command using the Internet.bs provider:

INTERNET_BS_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxx \
INTERNET_BS_PASSWORD=yyyyyyyyyyyyyyyyyyyyyyyyyy \
lego run --dns internetbs -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
INTERNET_BS_API_KEY API key
INTERNET_BS_PASSWORD API password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
INTERNET_BS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
INTERNET_BS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
INTERNET_BS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
INTERNET_BS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

INWX

Configuration for INWX.

  • Code: inwx
  • Since: v2.0.0

Here is an example bash command using the INWX provider:

INWX_USERNAME=xxxxxxxxxx \
INWX_PASSWORD=yyyyyyyyyy \
lego run --dns inwx -d '*.example.com' -d example.com

# 2FA
INWX_USERNAME=xxxxxxxxxx \
INWX_PASSWORD=yyyyyyyyyy \
INWX_SHARED_SECRET=zzzzzzzzzz \
lego run --dns inwx -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
INWX_PASSWORD Password
INWX_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
INWX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
INWX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 360)
INWX_SANDBOX Activate the sandbox (boolean)
INWX_SHARED_SECRET shared secret related to 2FA
INWX_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Ionos

Configuration for Ionos.

  • Code: ionos
  • Since: v4.2.0

Here is an example bash command using the Ionos provider:

IONOS_API_KEY=xxxxxxxx \
lego run --dns ionos -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
IONOS_API_KEY API key <prefix>.<secret> https://developer.hosting.ionos.com/docs/getstarted

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
IONOS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
IONOS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
IONOS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 900)
IONOS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Ionos Cloud

Configuration for Ionos Cloud.

  • Code: ionoscloud
  • Since: v4.30.0

Here is an example bash command using the Ionos Cloud provider:

IONOSCLOUD_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns ionoscloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
IONOSCLOUD_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
IONOSCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
IONOSCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
IONOSCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
IONOSCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

IPv64

Configuration for IPv64.

  • Code: ipv64
  • Since: v4.13.0

Here is an example bash command using the IPv64 provider:

IPV64_API_KEY=xxxxxx \
lego run --dns ipv64 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
IPV64_API_KEY Account API Key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
IPV64_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
IPV64_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
IPV64_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ISPConfig 3

Configuration for ISPConfig 3.

  • Code: ispconfig
  • Since: v4.31.0

Here is an example bash command using the ISPConfig 3 provider:

ISPCONFIG_SERVER_URL="https://example.com:8080/remote/json.php" \
ISPCONFIG_USERNAME="xxx" \
ISPCONFIG_PASSWORD="yyy" \
lego run --dns ispconfig -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ISPCONFIG_PASSWORD Password
ISPCONFIG_SERVER_URL Server URL
ISPCONFIG_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ISPCONFIG_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ISPCONFIG_INSECURE_SKIP_VERIFY Whether to verify the API certificate
ISPCONFIG_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ISPCONFIG_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ISPCONFIG_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ISPConfig 3 - Dynamic DNS (DDNS) Module

Configuration for ISPConfig 3 - Dynamic DNS (DDNS) Module.

  • Code: ispconfigddns
  • Since: v4.31.0

Here is an example bash command using the ISPConfig 3 - Dynamic DNS (DDNS) Module provider:

ISPCONFIG_DDNS_SERVER_URL="https://panel.example.com:8080" \
ISPCONFIG_DDNS_TOKEN=xxxxxx \
lego run --dns ispconfigddns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ISPCONFIG_DDNS_SERVER_URL API server URL (ex: https://panel.example.com:8080)
ISPCONFIG_DDNS_TOKEN DDNS API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ISPCONFIG_DDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ISPCONFIG_DDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ISPCONFIG_DDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ISPCONFIG_DDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

ISPConfig DNS provider supports leveraging the ISPConfig 3 Dynamic DNS (DDNS) Module.

Requires the DDNS module described at https://www.ispconfig.org/ispconfig/download/

See https://www.howtoforge.com/community/threads/ispconfig-3-danymic-dns-ddns-module.87967/ for additional details.

More information

May 5, 2026

JD Cloud

Configuration for JD Cloud.

  • Code: jdcloud
  • Since: v4.31.0

Here is an example bash command using the JD Cloud provider:

JDCLOUD_ACCESS_KEY_ID="xxx" \
JDCLOUD_ACCESS_KEY_SECRET="yyy" \
lego run --dns jdcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
JDCLOUD_ACCESS_KEY_ID Access key ID
JDCLOUD_ACCESS_KEY_SECRET Access key secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
JDCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
JDCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
JDCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
JDCLOUD_REGION_ID Region ID (Default: cn-north-1)
JDCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Joker

Configuration for Joker.

  • Code: joker
  • Since: v2.6.0

Here is an example bash command using the Joker provider:

# SVC
JOKER_API_MODE=SVC \
JOKER_USERNAME=<your email> \
JOKER_PASSWORD=<your password> \
lego run --dns joker -d '*.example.com' -d example.com

# DMAPI
JOKER_API_MODE=DMAPI \
JOKER_USERNAME=<your email> \
JOKER_PASSWORD=<your password> \
lego run --dns joker -d '*.example.com' -d example.com
## or
JOKER_API_MODE=DMAPI \
JOKER_API_KEY=<your API key> \
lego run --dns joker -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
JOKER_API_KEY API key (only with DMAPI mode)
JOKER_API_MODE ‘DMAPI’ or ‘SVC’. DMAPI is for resellers accounts. (Default: DMAPI)
JOKER_PASSWORD Joker.com password
JOKER_USERNAME Joker.com username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
JOKER_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
JOKER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
JOKER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
JOKER_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60), only with ‘SVC’ mode
JOKER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

SVC mode

In the SVC mode, username and password are not your email and account passwords, but those displayed in Joker.com domain dashboard when enabling Dynamic DNS.

As per Joker.com documentation:

  1. please log in at Joker.com, visit ‘My Domains’, find the domain you want to add Let’s Encrypt certificate for, and chose “DNS” in the menu

  2. on the top right, you will find the setting for ‘Dynamic DNS’. If not already active, please activate it. It will not affect any other already existing DNS records of this domain.

  3. please take a note of the credentials which are now shown as ‘Dynamic DNS Authentication’, consisting of a ‘username’ and a ‘password’.

  4. this is all you have to do here - and only once per domain.

More information

May 5, 2026

Joohoi's ACME-DNS

Configuration for Joohoi’s ACME-DNS.

  • Code: acmedns
  • Since: v1.1.0

Here is an example bash command using the Joohoi’s ACME-DNS provider:

ACME_DNS_API_BASE=http://10.0.0.8:4443 \
ACME_DNS_STORAGE_PATH=/root/.lego-acme-dns-accounts.json \
lego run  --dns "acme-dns" -d '*.example.com' -d example.com

# or

ACME_DNS_API_BASE=http://10.0.0.8:4443 \
ACME_DNS_STORAGE_BASE_URL=http://10.10.10.10:80 \
lego run --dns "acme-dns" -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ACME_DNS_API_BASE The ACME-DNS API address
ACME_DNS_STORAGE_BASE_URL The ACME-DNS JSON account data server.
ACME_DNS_STORAGE_PATH The ACME-DNS JSON account data file. A per-domain account will be registered/persisted to this file and used for TXT updates.

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ACME_DNS_ALLOWLIST Source networks using CIDR notation (multiple values should be separated with a comma).

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Katapult

Configuration for Katapult.

  • Code: katapult
  • Since: v5.0.0

Here is an example bash command using the Katapult provider:

KATAPULT_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns katapult -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
KATAPULT_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
KATAPULT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
KATAPULT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
KATAPULT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
KATAPULT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

KeyHelp

Configuration for KeyHelp.

  • Code: keyhelp
  • Since: v4.26.0

Here is an example bash command using the KeyHelp provider:

KEYHELP_BASE_URL="https://keyhelp.example.com" \
KEYHELP_API_KEY="xxx" \
lego run --dns keyhelp -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
KEYHELP_API_KEY API key
KEYHELP_BASE_URL Server URL

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
KEYHELP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
KEYHELP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
KEYHELP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
KEYHELP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Leaseweb

Configuration for Leaseweb.

  • Code: leaseweb
  • Since: v4.32.0

Here is an example bash command using the Leaseweb provider:

LEASEWEB_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns leaseweb -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LEASEWEB_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LEASEWEB_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
LEASEWEB_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LEASEWEB_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
LEASEWEB_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Liara

Configuration for Liara.

  • Code: liara
  • Since: v4.10.0

Here is an example bash command using the Liara provider:

LIARA_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns liara -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LIARA_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LIARA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
LIARA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LIARA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
LIARA_TEAM_ID The team ID to access services in a team
LIARA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Lima-City

Configuration for Lima-City.

  • Code: limacity
  • Since: v4.18.0

Here is an example bash command using the Lima-City provider:

LIMACITY_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns limacity -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LIMACITY_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LIMACITY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
LIMACITY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 80)
LIMACITY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 480)
LIMACITY_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 90)
LIMACITY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Linode (v4)

Configuration for Linode (v4).

  • Code: linode
  • Since: v1.1.0

Here is an example bash command using the Linode (v4) provider:

LINODE_TOKEN=xxxxx \
lego run --dns linode -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LINODE_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LINODE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
LINODE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 15)
LINODE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
LINODE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Liquid Web

Configuration for Liquid Web.

  • Code: liquidweb
  • Since: v3.1.0

Here is an example bash command using the Liquid Web provider:

LWAPI_USERNAME=someuser \
LWAPI_PASSWORD=somepass \
lego run --dns liquidweb -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LWAPI_PASSWORD Liquid Web API Password
LWAPI_USERNAME Liquid Web API Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LWAPI_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
LWAPI_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LWAPI_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
LWAPI_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)
LWAPI_URL Liquid Web API endpoint
LWAPI_ZONE DNS Zone

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Loopia

Configuration for Loopia.

  • Code: loopia
  • Since: v4.2.0

Here is an example bash command using the Loopia provider:

LOOPIA_API_USER=xxxxxxxx \
LOOPIA_API_PASSWORD=yyyyyyyy \
lego run --dns loopia -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LOOPIA_API_PASSWORD API password
LOOPIA_API_USER API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LOOPIA_API_URL API endpoint. Ex: https://api.loopia.se/RPCSERV or https://api.loopia.rs/RPCSERV
LOOPIA_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
LOOPIA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2400)
LOOPIA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
LOOPIA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

API user

You can generate a new API user from your account page.

It needs to have the following permissions:

  • addZoneRecord
  • getZoneRecords
  • removeZoneRecord
  • removeSubdomain

More information

May 5, 2026

LuaDNS

Configuration for LuaDNS.

  • Code: luadns
  • Since: v3.7.0

Here is an example bash command using the LuaDNS provider:

LUADNS_API_USERNAME=youremail \
LUADNS_API_TOKEN=xxxxxxxx \
lego run --dns luadns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
LUADNS_API_TOKEN API token
LUADNS_API_USERNAME Username (your email)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
LUADNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
LUADNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
LUADNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
LUADNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Mail-in-a-Box

Configuration for Mail-in-a-Box.

  • Code: mailinabox
  • Since: v4.16.0

Here is an example bash command using the Mail-in-a-Box provider:

MAILINABOX_EMAIL=user@example.com \
MAILINABOX_PASSWORD=yyyy \
MAILINABOX_BASE_URL=https://box.example.com \
lego run --dns mailinabox -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MAILINABOX_BASE_URL Base API URL (ex: https://box.example.com)
MAILINABOX_EMAIL User email
MAILINABOX_PASSWORD User password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MAILINABOX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
MAILINABOX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 4)
MAILINABOX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ManageEngine CloudDNS

Configuration for ManageEngine CloudDNS.

  • Code: manageengine
  • Since: v4.21.0

Here is an example bash command using the ManageEngine CloudDNS provider:

MANAGEENGINE_CLIENT_ID="xxx" \
MANAGEENGINE_CLIENT_SECRET="yyy" \
lego run --dns manageengine -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MANAGEENGINE_CLIENT_ID Client ID
MANAGEENGINE_CLIENT_SECRET Client Secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MANAGEENGINE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MANAGEENGINE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
MANAGEENGINE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Manual

Solving the DNS-01 challenge using CLI prompt.

  • Code: manual
  • Since: v0.3.0

Here is an example bash command using the Manual provider:

lego run --dns manual -d '*.example.com' -d example.com

Additional Configuration

Environment Variable Name Description
MANUAL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MANUAL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Example

To start using the CLI prompt “provider”, start lego with --dns manual:

$ lego run --dns manual -d example.com

What follows are a few log print-outs, interspersed with some prompts, asking for you to do perform some actions:

No key found for account you@example.com. Generating a P256 key.
Saved key to ./.lego/accounts/acme-v02.api.letsencrypt.org/you@example.com/keys/you@example.com.key
Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you accept the TOS? Y/n

If you accept the linked Terms of Service, hit Enter.

[INFO] acme: Registering account for you@example.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your
configuration directory at "./.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain private keys
generated by lego and certificates obtained from the ACME
server. Making regular backups of this folder is ideal.
[INFO] [example.com] acme: Obtaining bundled SAN certificate
[INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2345678901
[INFO] [example.com] acme: Could not find solver for: tls-alpn-01
[INFO] [example.com] acme: Could not find solver for: http-01
[INFO] [example.com] acme: use dns-01 solver
[INFO] [example.com] acme: Preparing to solve DNS-01
lego: Please create the following TXT record in your example.com. zone:
_acme-challenge.example.com. 120 IN TXT "hX0dPkG6Gfs9hUvBAchQclkyyoEKbShbpvJ9mY5q2JQ"
lego: Press 'Enter' when you are done

Do as instructed, and create the TXT records, and hit Enter.

[INFO] [example.com] acme: Trying to solve DNS-01
[INFO] [example.com] acme: Checking DNS record propagation using [192.168.8.1:53]
[INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
[INFO] [example.com] acme: Waiting for DNS record propagation.
[INFO] [example.com] The server validated our request
[INFO] [example.com] acme: Cleaning DNS-01 challenge
lego: You can now remove this TXT record from your example.com. zone:
_acme-challenge.example.com. 120 IN TXT "hX0dPkG6Gfs9hUvBAchQclkyyoEKbShbpvJ9mY5q2JQ"
[INFO] [example.com] acme: Validations succeeded; requesting certificates
[INFO] [example.com] Server responded with a certificate.

As mentioned, you can now remove the TXT record again.

May 5, 2026

Metaname

Configuration for Metaname.

  • Code: metaname
  • Since: v4.13.0

Here is an example bash command using the Metaname provider:

METANAME_ACCOUNT_REFERENCE=xxxx \
METANAME_API_KEY=yyyyyyy \
lego run --dns metaname -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
METANAME_ACCOUNT_REFERENCE The four-digit reference of a Metaname account
METANAME_API_KEY API Key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
METANAME_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
METANAME_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
METANAME_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Metaregistrar

Configuration for Metaregistrar.

  • Code: metaregistrar
  • Since: v4.23.0

Here is an example bash command using the Metaregistrar provider:

METAREGISTRAR_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns metaregistrar -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
METAREGISTRAR_API_TOKEN The API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
METAREGISTRAR_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
METAREGISTRAR_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
METAREGISTRAR_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
METAREGISTRAR_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

mijn.host

Configuration for mijn.host.

  • Code: mijnhost
  • Since: v4.18.0

Here is an example bash command using the mijn.host provider:

MIJNHOST_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns mijnhost -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MIJNHOST_API_KEY The API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MIJNHOST_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
MIJNHOST_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MIJNHOST_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
MIJNHOST_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
MIJNHOST_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Mittwald

Configuration for Mittwald.

  • Code: mittwald
  • Since: v1.48.0

Here is an example bash command using the Mittwald provider:

MITTWALD_TOKEN=my-token \
lego run --dns mittwald -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MITTWALD_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MITTWALD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
MITTWALD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
MITTWALD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
MITTWALD_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 120)
MITTWALD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

myaddr.{tools,dev,io}

Configuration for myaddr.{tools,dev,io}.

  • Code: myaddr
  • Since: v4.22.0

Here is an example bash command using the myaddr.{tools,dev,io} provider:

MYADDR_PRIVATE_KEYS_MAPPING="example:123,test:456" \
lego run --dns myaddr -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MYADDR_PRIVATE_KEYS_MAPPING Mapping between subdomains and private keys. The format is: <subdomain1>:<private_key1>,<subdomain2>:<private_key2>,<subdomain3>:<private_key3>

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MYADDR_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
MYADDR_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MYADDR_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
MYADDR_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 2)
MYADDR_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

MyDNS.jp

Configuration for MyDNS.jp.

  • Code: mydnsjp
  • Since: v1.2.0

Here is an example bash command using the MyDNS.jp provider:

MYDNSJP_MASTER_ID=xxxxx \
MYDNSJP_PASSWORD=xxxxx \
lego run --dns mydnsjp -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MYDNSJP_MASTER_ID Master ID
MYDNSJP_PASSWORD Password

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MYDNSJP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
MYDNSJP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MYDNSJP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

MythicBeasts

Configuration for MythicBeasts.

  • Code: mythicbeasts
  • Since: v0.3.7

Here is an example bash command using the MythicBeasts provider:

MYTHICBEASTS_USERNAME=myuser \
MYTHICBEASTS_PASSWORD=mypass \
lego run --dns mythicbeasts -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
MYTHICBEASTS_PASSWORD Password
MYTHICBEASTS_USERNAME User name

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
MYTHICBEASTS_API_ENDPOINT The endpoint for the API (must implement v2)
MYTHICBEASTS_AUTH_API_ENDPOINT The endpoint for Mythic Beasts’ Authentication
MYTHICBEASTS_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
MYTHICBEASTS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
MYTHICBEASTS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
MYTHICBEASTS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

If you are using specific API keys, then the username is the API ID for your API key, and the password is the API secret.

Your API key name is not needed to operate lego.

More information

May 5, 2026

Name.com

Configuration for Name.com.

  • Code: namedotcom
  • Since: v0.5.0

Here is an example bash command using the Name.com provider:

NAMECOM_USERNAME=foo.bar \
NAMECOM_API_TOKEN=a379a6f6eeafb9a55e378c118034e2751e682fab \
lego run --dns namedotcom -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NAMECOM_API_TOKEN API token
NAMECOM_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NAMECOM_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
NAMECOM_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
NAMECOM_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 900)
NAMECOM_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Namecheap

Configuration for Namecheap.

To enable API access on the Namecheap production environment, some opaque requirements must be met. More information in the section Enabling API Access of the Namecheap documentation. (2020-08: Account balance of $50+, 20+ domains in your account, or purchases totaling $50+ within the last 2 years.)

  • Code: namecheap
  • Since: v0.3.0

Here is an example bash command using the Namecheap provider:

NAMECHEAP_API_USER=user \
NAMECHEAP_API_KEY=key \
lego run --dns namecheap -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NAMECHEAP_API_KEY API key
NAMECHEAP_API_USER API user

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NAMECHEAP_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
NAMECHEAP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 15)
NAMECHEAP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 3600)
NAMECHEAP_SANDBOX Activate the sandbox (boolean)
NAMECHEAP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Namesilo

Configuration for Namesilo.

  • Code: namesilo
  • Since: v2.7.0

Here is an example bash command using the Namesilo provider:

NAMESILO_API_KEY=b9841238feb177a84330febba8a83208921177bffe733 \
lego run --dns namesilo -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NAMESILO_API_KEY Client ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NAMESILO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NAMESILO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60), it is better to set larger than 15 minutes
NAMESILO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600), should be in [3600, 2592000]

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

NearlyFreeSpeech.NET

Configuration for NearlyFreeSpeech.NET.

  • Code: nearlyfreespeech
  • Since: v4.8.0

Here is an example bash command using the NearlyFreeSpeech.NET provider:

NEARLYFREESPEECH_API_KEY=xxxxxx \
NEARLYFREESPEECH_LOGIN=xxxx \
lego run --dns nearlyfreespeech -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NEARLYFREESPEECH_API_KEY API Key for API requests
NEARLYFREESPEECH_LOGIN Username for API requests

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NEARLYFREESPEECH_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NEARLYFREESPEECH_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NEARLYFREESPEECH_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NEARLYFREESPEECH_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
NEARLYFREESPEECH_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

NederHost

Configuration for NederHost.

  • Code: nederhost
  • Since: v5.0.0

Here is an example bash command using the NederHost provider:

NEDERHOST_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns nederhost -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NEDERHOST_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NEDERHOST_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NEDERHOST_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NEDERHOST_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NEDERHOST_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Neodigit

Configuration for Neodigit.

  • Code: neodigit
  • Since: v4.30.0

Here is an example bash command using the Neodigit provider:

NEODIGIT_TOKEN=xxxxxx \
lego run --dns neodigit -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NEODIGIT_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NEODIGIT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NEODIGIT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
NEODIGIT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
NEODIGIT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Netcup

Configuration for Netcup.

  • Code: netcup
  • Since: v1.1.0

Here is an example bash command using the Netcup provider:

NETCUP_CUSTOMER_NUMBER=xxxx \
NETCUP_API_KEY=yyyy \
NETCUP_API_PASSWORD=zzzz \
lego run --dns netcup -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NETCUP_API_KEY API key
NETCUP_API_PASSWORD API password
NETCUP_CUSTOMER_NUMBER Customer number

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NETCUP_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
NETCUP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 30)
NETCUP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 900)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Netlify

Configuration for Netlify.

  • Code: netlify
  • Since: v3.7.0

Here is an example bash command using the Netlify provider:

NETLIFY_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns netlify -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NETLIFY_TOKEN Token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NETLIFY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NETLIFY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NETLIFY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NETLIFY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Netnod

Configuration for Netnod.

  • Code: netnod
  • Since: v4.34.0

Here is an example bash command using the Netnod provider:

NETNOD_TOKEN="xxx" \
lego run --dns netnod -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NETNOD_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NETNOD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NETNOD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NETNOD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NETNOD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Ngenix

Configuration for Ngenix.

  • Code: ngenix
  • Since: v5.0.0

Here is an example bash command using the Ngenix provider:

NGENIX_USERNAME="xxx" \
NGENIX_TOKEN="yyy" \
NGENIX_CUSTOMER_ID="zzz" \
lego run --dns ngenix -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NGENIX_CUSTOMER_ID Customer ID
NGENIX_TOKEN API token
NGENIX_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NGENIX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NGENIX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 20)
NGENIX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 6, 2026

Nicmanager

Configuration for Nicmanager.

  • Code: nicmanager
  • Since: v4.5.0

Here is an example bash command using the Nicmanager provider:

## Login using email

NICMANAGER_API_EMAIL = "you@example.com" \
NICMANAGER_API_PASSWORD = "password" \

# Optionally, if your account has TOTP enabled, set the secret here
NICMANAGER_API_OTP = "long-secret" \

lego run --dns nicmanager -d '*.example.com' -d example.com

## Login using account name + username

NICMANAGER_API_LOGIN = "myaccount" \
NICMANAGER_API_USERNAME = "myuser" \
NICMANAGER_API_PASSWORD = "password" \

# Optionally, if your account has TOTP enabled, set the secret here
NICMANAGER_API_OTP = "long-secret" \

lego run --dns nicmanager -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NICMANAGER_API_EMAIL Email-based login
NICMANAGER_API_LOGIN Login, used for Username-based login
NICMANAGER_API_PASSWORD Password, always required
NICMANAGER_API_USERNAME Username, used for Username-based login

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NICMANAGER_API_MODE mode: ‘anycast’ or ‘zones’ (for FreeDNS) (default: ‘anycast’)
NICMANAGER_API_OTP TOTP Secret (optional)
NICMANAGER_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
NICMANAGER_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NICMANAGER_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
NICMANAGER_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 900)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

You can log in using your account name + username or using your email address. Optionally, if TOTP is configured for your account, set NICMANAGER_API_OTP.

More information

May 5, 2026

NIFCloud

Configuration for NIFCloud.

  • Code: nifcloud
  • Since: v1.1.0

Here is an example bash command using the NIFCloud provider:

NIFCLOUD_ACCESS_KEY_ID=xxxx \
NIFCLOUD_SECRET_ACCESS_KEY=yyyy \
lego run --dns nifcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NIFCLOUD_ACCESS_KEY_ID Access key
NIFCLOUD_SECRET_ACCESS_KEY Secret access key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NIFCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NIFCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NIFCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NIFCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Njalla

Configuration for Njalla.

  • Code: njalla
  • Since: v4.3.0

Here is an example bash command using the Njalla provider:

NJALLA_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns njalla -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NJALLA_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NJALLA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NJALLA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NJALLA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NJALLA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Nodion

Configuration for Nodion.

  • Code: nodion
  • Since: v4.11.0

Here is an example bash command using the Nodion provider:

NODION_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns nodion -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NODION_API_TOKEN The API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NODION_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
NODION_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NODION_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
NODION_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

NS1

Configuration for NS1.

  • Code: ns1
  • Since: v0.4.0

Here is an example bash command using the NS1 provider:

NS1_API_KEY=xxxx \
lego run --dns ns1 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NS1_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NS1_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
NS1_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
NS1_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
NS1_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Octenium

Configuration for Octenium.

  • Code: octenium
  • Since: v4.27.0

Here is an example bash command using the Octenium provider:

OCTENIUM_API_KEY="xxx" \
lego run --dns octenium -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OCTENIUM_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
OCTENIUM_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
OCTENIUM_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
OCTENIUM_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
OCTENIUM_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

omg.lol

Configuration for omg.lol.

  • Code: omglol
  • Since: v5.0.0

Here is an example bash command using the omg.lol provider:

OMGLOL_API_KEY="xx" \
lego run --dns omglol -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OMGLOL_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
OMGLOL_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
OMGLOL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
OMGLOL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
OMGLOL_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Online.net

Configuration for Online.net.

  • Code: onlinenet
  • Since: v4.34.0

Here is an example bash command using the Online.net provider:

ONLINENET_API_TOKEN="xxx" \
lego run --dns onlinenet -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ONLINENET_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ONLINENET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ONLINENET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 15)
ONLINENET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 240)
ONLINENET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Open Telekom Cloud

Configuration for Open Telekom Cloud.

  • Code: otc
  • Since: v0.4.1

Here is an example bash command using the Open Telekom Cloud provider:

OTC_DOMAIN_NAME=domain_name \
OTC_USER_NAME=user_name \
OTC_PASSWORD=password \
OTC_PROJECT_NAME=project_name \
lego run --dns otc -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OTC_DOMAIN_NAME Domain name
OTC_PASSWORD Password
OTC_PROJECT_NAME Project name
OTC_USER_NAME User name

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
OTC_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
OTC_IDENTITY_ENDPOINT Identity endpoint URL (default: https://iam.eu-de.otc.t-systems.com:443/v3/auth/tokens)
OTC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
OTC_PRIVATE_ZONE Set to true to use private zones only (default: use public zones only)
OTC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
OTC_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
OTC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Oracle Cloud

Configuration for Oracle Cloud.

  • Code: oraclecloud
  • Since: v2.3.0

Here is an example bash command using the Oracle Cloud provider:

# Using API Key authentication:

OCI_PRIVATE_KEY_PATH="~/.oci/oci_api_key.pem" \
OCI_PRIVATE_KEY_PASSWORD="secret" \
OCI_TENANCY_OCID="ocid1.tenancy.oc1..secret" \
OCI_USER_OCID="ocid1.user.oc1..secret" \
OCI_FINGERPRINT="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" \
OCI_REGION="us-phoenix-1" \
OCI_COMPARTMENT_OCID="ocid1.tenancy.oc1..secret" \
lego run --dns oraclecloud -d '*.example.com' -d example.com

# Using Instance Principal authentication (when running on OCI compute instances):
# https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm

OCI_AUTH_TYPE="instance_principal" \
OCI_COMPARTMENT_OCID="ocid1.tenancy.oc1..secret" \
lego run --dns oraclecloud -d '*.example.com' -d example.com

# Using profile session token:

OCI_AUTH_TYPE="user_principal" \
OCI_PROFILE="xxx" \
OCI_COMPARTMENT_OCID="ocid1.tenancy.oc1..secret" \
lego run --dns oraclecloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OCI_COMPARTMENT_OCID Compartment OCID
OCI_FINGERPRINT Public key fingerprint (ignored if OCI_AUTH_TYPE is not empty)
OCI_PRIVATE_KEY_PASSWORD Private key password (ignored if OCI_AUTH_TYPE is not empty)
OCI_PRIVATE_KEY_PATH Private key file (ignored if OCI_AUTH_TYPE is not empty)
OCI_REGION Region (it can be empty if OCI_AUTH_TYPE is not empty).
OCI_TENANCY_OCID Tenancy OCID (ignored if OCI_AUTH_TYPE is not empty)
OCI_USER_OCID User OCID (ignored if OCI_AUTH_TYPE is not empty)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
OCI_AUTH_TYPE Authorization type. Possible values: ‘instance_principal’, ‘user_principal’, ‘’. (Default: ‘’)
OCI_CONFIG_FILE Path to the configuration file. (only for OCI_AUTH_TYPE=user_principal)
OCI_HTTP_TIMEOUT API request timeout in seconds (Default: 60)
OCI_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
OCI_PROFILE Profile name. (only for OCI_AUTH_TYPE=user_principal)
OCI_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
OCI_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)
TF_VAR_fingerprint Alias on OCI_FINGERPRINT
TF_VAR_private_key_path Alias on OCI_PRIVATE_KEY_PATH
TF_VAR_region Alias on OCI_REGION
TF_VAR_tenancy_ocid Alias on OCI_TENANCY_OCID
TF_VAR_user_ocid Alias on OCI_USER_OCID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

OVH

Configuration for OVH.

  • Code: ovh
  • Since: v0.4.0

Here is an example bash command using the OVH provider:

# Application Key authentication:

OVH_APPLICATION_KEY=1234567898765432 \
OVH_APPLICATION_SECRET=b9841238feb177a84330febba8a832089 \
OVH_CONSUMER_KEY=256vfsd347245sdfg \
OVH_ENDPOINT=ovh-eu \
lego run --dns ovh -d '*.example.com' -d example.com

# Or Access Token:

OVH_ACCESS_TOKEN=xxx \
OVH_ENDPOINT=ovh-eu \
lego run --dns ovh -d '*.example.com' -d example.com

# Or OAuth2:

OVH_CLIENT_ID=yyy \
OVH_CLIENT_SECRET=xxx \
OVH_ENDPOINT=ovh-eu \
lego run --dns ovh -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
OVH_ACCESS_TOKEN Access token
OVH_APPLICATION_KEY Application key (Application Key authentication)
OVH_APPLICATION_SECRET Application secret (Application Key authentication)
OVH_CLIENT_ID Client ID (OAuth2)
OVH_CLIENT_SECRET Client secret (OAuth2)
OVH_CONSUMER_KEY Consumer key (Application Key authentication)
OVH_ENDPOINT Endpoint URL (ovh-eu or ovh-ca)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
OVH_HTTP_TIMEOUT API request timeout in seconds (Default: 180)
OVH_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
OVH_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
OVH_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Application Key and Secret

Application key and secret can be created by following the OVH guide.

When requesting the consumer key, the following configuration can be used to define access rights:

{
  "accessRules": [
    {
      "method": "POST",
      "path": "/domain/zone/*"
    },
    {
      "method": "DELETE",
      "path": "/domain/zone/*"
    }
  ]
}

OAuth2 Client Credentials

Another method for authentication is by using OAuth2 client credentials.

An IAM policy and service account can be created by following the OVH guide.

Following IAM policies need to be authorized for the affected domain:

  • dnsZone:apiovh:record/create
  • dnsZone:apiovh:record/delete
  • dnsZone:apiovh:refresh

Important Note

Both authentication methods cannot be used at the same time.

More information

May 5, 2026

plesk.com

Configuration for plesk.com.

  • Code: plesk
  • Since: v4.11.0

Here is an example bash command using the plesk.com provider:

PLESK_SERVER_BASE_URL="https://plesk.myserver.com:8443" \
PLESK_USERNAME=xxxxxx \
PLESK_PASSWORD=yyyyyy \
lego run --dns plesk -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
PLESK_PASSWORD API password
PLESK_SERVER_BASE_URL Base URL of the server (ex: https://plesk.myserver.com:8443)
PLESK_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
PLESK_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
PLESK_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
PLESK_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
PLESK_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

PointDNS/PointHQ

Configuration for PointDNS/PointHQ.

  • Code: pointdns
  • Since: v5.0.0

Here is an example bash command using the PointDNS/PointHQ provider:

POINTDNS_USERNAME="xxx" \
POINTDNS_PASSWORD="yyy" \
lego run --dns pointdns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
POINTDNS_PASSWORD Password
POINTDNS_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
POINTDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
POINTDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
POINTDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
POINTDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Porkbun

Configuration for Porkbun.

  • Code: porkbun
  • Since: v4.4.0

Here is an example bash command using the Porkbun provider:

PORKBUN_SECRET_API_KEY=xxxxxx \
PORKBUN_API_KEY=yyyyyy \
lego run --dns porkbun -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
PORKBUN_API_KEY API key
PORKBUN_SECRET_API_KEY secret API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
PORKBUN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
PORKBUN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
PORKBUN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)
PORKBUN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

PowerDNS

Configuration for PowerDNS.

  • Code: pdns
  • Since: v0.4.0

Here is an example bash command using the PowerDNS provider:

PDNS_API_URL=http://pdns-server:80/ \
PDNS_API_KEY=xxxx \
lego run --dns pdns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
PDNS_API_KEY API key
PDNS_API_URL API URL

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
PDNS_API_VERSION Skip API version autodetection and use the provided version number.
PDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
PDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
PDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
PDNS_SERVER_NAME Name of the server in the URL, ’localhost’ by default
PDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Information

Tested and confirmed to work with PowerDNS authoritative server 3.4.8 and 4.0.1. Refer to PowerDNS documentation instructions on how to enable the built-in API interface.

PowerDNS Notes:

  • PowerDNS API does not currently support SSL, therefore you should take care to ensure that traffic between lego and the PowerDNS API is over a trusted network, VPN etc.
  • In order to have the SOA serial automatically increment each time the _acme-challenge record is added/modified via the API, set SOA-EDIT-API to INCEPTION-INCREMENT for the zone in the domainmetadata table
  • Some PowerDNS servers doesn’t have root API endpoints enabled and API version autodetection will not work. In that case version number can be defined using PDNS_API_VERSION.

More information

May 5, 2026

Rackspace

Configuration for Rackspace.

  • Code: rackspace
  • Since: v0.4.0

Here is an example bash command using the Rackspace provider:

RACKSPACE_USER=xxxx \
RACKSPACE_API_KEY=yyyy \
lego run --dns rackspace -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
RACKSPACE_API_KEY API key
RACKSPACE_USER API user

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
RACKSPACE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
RACKSPACE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 3)
RACKSPACE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
RACKSPACE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Rage4

Configuration for Rage4.

  • Code: rage4
  • Since: v5.0.0

Here is an example bash command using the Rage4 provider:

RAGE4_USERNAME="xxx" \
RAGE4_PASSWORD="yyy" \
lego run --dns rage4 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
RAGE4_PASSWORD Password
RAGE4_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
RAGE4_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
RAGE4_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
RAGE4_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
RAGE4_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Rain Yun/雨云

Configuration for Rain Yun/雨云.

  • Code: rainyun
  • Since: v4.21.0

Here is an example bash command using the Rain Yun/雨云 provider:

RAINYUN_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns rainyun -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
RAINYUN_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
RAINYUN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
RAINYUN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
RAINYUN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
RAINYUN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

RcodeZero

Configuration for RcodeZero.

  • Code: rcodezero
  • Since: v4.13

Here is an example bash command using the RcodeZero provider:

RCODEZERO_API_TOKEN=<mytoken> \
lego run --dns rcodezero -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
RCODEZERO_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
RCODEZERO_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
RCODEZERO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
RCODEZERO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 240)
RCODEZERO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Description

Generate your API Token via https://my.rcodezero.at with the ACME permissions. These are special tokens with limited access for ACME requests only.

RcodeZero is an Anycast Network so the distribution of the DNS01-Challenge can take up to 2 minutes.

More information

May 5, 2026

reg.ru

Configuration for reg.ru.

  • Code: regru
  • Since: v3.5.0

Here is an example bash command using the reg.ru provider:

REGRU_USERNAME=xxxxxx \
REGRU_PASSWORD=yyyyyy \
lego run --dns regru -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
REGRU_PASSWORD API password
REGRU_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
REGRU_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
REGRU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
REGRU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
REGRU_TLS_CERT authentication certificate
REGRU_TLS_KEY authentication private key
REGRU_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Regfish

Configuration for Regfish.

  • Code: regfish
  • Since: v4.20.0

Here is an example bash command using the Regfish provider:

REGFISH_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns regfish -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
REGFISH_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
REGFISH_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
REGFISH_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
REGFISH_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
REGFISH_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

RimuHosting

Configuration for RimuHosting.

  • Code: rimuhosting
  • Since: v0.3.5

Here is an example bash command using the RimuHosting provider:

RIMUHOSTING_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns rimuhosting -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
RIMUHOSTING_API_KEY User API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
RIMUHOSTING_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
RIMUHOSTING_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
RIMUHOSTING_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
RIMUHOSTING_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

RU CENTER

Configuration for RU CENTER.

  • Code: nicru
  • Since: v4.24.0

Here is an example bash command using the RU CENTER provider:

NICRU_USER="<your_user>" \
NICRU_PASSWORD="<your_password>" \
NICRU_SERVICE_ID="<service_id>" \
NICRU_SECRET="<service_secret>" \
lego run --dns nicru -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
NICRU_PASSWORD Password for an account in RU CENTER
NICRU_SECRET Secret for application in DNS-hosting RU CENTER
NICRU_SERVICE_ID Service ID for application in DNS-hosting RU CENTER
NICRU_SERVICE_NAME Service Name for DNS-hosting RU CENTER
NICRU_USER Agreement for an account in RU CENTER

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
NICRU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 60)
NICRU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)
NICRU_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 30)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Credential information

You can find information about service ID and secret https://www.nic.ru/manager/oauth.cgi?step=oauth.app_list

ENV Variable Parameter from page Example
NICRU_USER Username (Number of agreement) NNNNNNN/NIC-D
NICRU_PASSWORD Password account
NICRU_SERVICE_ID Application ID hex-based, len 32
NICRU_SECRET Identity endpoint string len 91

More information

May 5, 2026

Sakura Cloud

Configuration for Sakura Cloud.

  • Code: sakuracloud
  • Since: v1.1.0

Here is an example bash command using the Sakura Cloud provider:

SAKURACLOUD_ACCESS_TOKEN=xxxxx \
SAKURACLOUD_ACCESS_TOKEN_SECRET=yyyyy \
lego run --dns sakuracloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SAKURACLOUD_ACCESS_TOKEN Access token
SAKURACLOUD_ACCESS_TOKEN_SECRET Access token secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SAKURACLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
SAKURACLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SAKURACLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SAKURACLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Scaleway

Configuration for Scaleway.

  • Code: scaleway
  • Since: v3.4.0

Here is an example bash command using the Scaleway provider:

SCW_SECRET_KEY=xxxxxxx-xxxxx-xxxx-xxx-xxxxxx \
lego run --dns scaleway -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SCW_PROJECT_ID Project to use (optional)
SCW_SECRET_KEY Secret key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SCW_ACCESS_KEY Access key
SCW_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SCW_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
SCW_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
SCW_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ScanNet

Configuration for ScanNet.

  • Code: scannet
  • Since: v5.0.0

Here is an example bash command using the ScanNet provider:

SCANNET_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns scannet -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SCANNET_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SCANNET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SCANNET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SCANNET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SCANNET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Selectel

Configuration for Selectel.

  • Code: selectel
  • Since: v1.2.0

Here is an example bash command using the Selectel provider:

SELECTEL_API_TOKEN=xxxxx \
lego run --dns selectel -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SELECTEL_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SELECTEL_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SELECTEL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SELECTEL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
SELECTEL_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Selectel v2

Configuration for Selectel v2.

  • Code: selectelv2
  • Since: v4.17.0

Here is an example bash command using the Selectel v2 provider:

SELECTELV2_USERNAME=trex \
SELECTELV2_PASSWORD=xxxxx \
SELECTELV2_ACCOUNT_ID=1234567 \
SELECTELV2_PROJECT_ID=111a11111aaa11aa1a11aaa11111aa1a \
lego run --dns selectelv2 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SELECTELV2_ACCOUNT_ID Selectel account ID (INT)
SELECTELV2_PASSWORD Openstack username’s password
SELECTELV2_PROJECT_ID Cloud project ID (UUID)
SELECTELV2_USERNAME Openstack username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SELECTELV2_AUTH_REGION Location for auth endpoint like ResellAPI or Keystone (default: ‘ru-1’)
SELECTELV2_AUTH_URL Identity endpoint (default: ‘https://cloud.api.selcloud.ru/identity/v3/')
SELECTELV2_BASE_URL API endpoint URL
SELECTELV2_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SELECTELV2_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
SELECTELV2_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
SELECTELV2_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)
SELECTELV2_USER_DOMAIN_NAME To specify the domain name (account ID) where the user is located. (default: SELECTELV2_ACCOUNT_ID)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

SelfHost.(de|eu)

Configuration for SelfHost.(de|eu).

  • Code: selfhostde
  • Since: v4.19.0

Here is an example bash command using the SelfHost.(de|eu) provider:

SELFHOSTDE_USERNAME=xxx \
SELFHOSTDE_PASSWORD=yyy \
SELFHOSTDE_RECORDS_MAPPING=my.example.com:123 \
lego run --dns selfhostde -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SELFHOSTDE_PASSWORD Password
SELFHOSTDE_RECORDS_MAPPING Record IDs mapping with domains (ex: example.com:123:456,example.org:789,foo.example.com:147)
SELFHOSTDE_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SELFHOSTDE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SELFHOSTDE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 30)
SELFHOSTDE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 240)
SELFHOSTDE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

SelfHost.de doesn’t have an API to create or delete TXT records, there is only an “unofficial” and undocumented endpoint to update an existing TXT record.

So, before using lego to request a certificate for a given domain or wildcard (such as my.example.org or *.my.example.org), you must create:

  • one TXT record named _acme-challenge.my.example.org if you are not using wildcard for this domain.
  • two TXT records named _acme-challenge.my.example.org if you are using wildcard for this domain.

After that you must edit the TXT record(s) to get the ID(s).

You then must prepare the SELFHOSTDE_RECORDS_MAPPING environment variable with the following format:

<domain_A>:<record_id_A1>:<record_id_A2>,<domain_B>:<record_id_B1>:<record_id_B2>,<domain_C>:<record_id_C1>:<record_id_C2>

where each group of domain + record ID(s) is separated with a comma (,), and the domain and record ID(s) are separated with a colon (:).

For example, if you want to create or renew a certificate for my.example.org, *.my.example.org, and other.example.org, you would need:

  • two separate records for _acme-challenge.my.example.org
  • and another separate record for _acme-challenge.other.example.org

The resulting environment variable would then be: SELFHOSTDE_RECORDS_MAPPING=my.example.com:123:456,other.example.com:789

May 5, 2026

Servercow

Configuration for Servercow.

  • Code: servercow
  • Since: v3.4.0

Here is an example bash command using the Servercow provider:

SERVERCOW_USERNAME=xxxxxxxx \
SERVERCOW_PASSWORD=xxxxxxxx \
lego run --dns servercow -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SERVERCOW_PASSWORD API password
SERVERCOW_USERNAME API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SERVERCOW_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SERVERCOW_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SERVERCOW_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SERVERCOW_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Shellrent

Configuration for Shellrent.

  • Code: shellrent
  • Since: v4.16.0

Here is an example bash command using the Shellrent provider:

SHELLRENT_USERNAME=xxxx \
SHELLRENT_TOKEN=yyyy \
lego run --dns shellrent -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SHELLRENT_TOKEN Token
SHELLRENT_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SHELLRENT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SHELLRENT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
SHELLRENT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
SHELLRENT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Simply.com

Configuration for Simply.com.

  • Code: simply
  • Since: v4.4.0

Here is an example bash command using the Simply.com provider:

SIMPLY_ACCOUNT_NAME=xxxxxx \
SIMPLY_API_KEY=yyyyyy \
lego run --dns simply -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SIMPLY_ACCOUNT_NAME Account name
SIMPLY_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SIMPLY_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SIMPLY_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
SIMPLY_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
SIMPLY_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Sonic

Configuration for Sonic.

  • Code: sonic
  • Since: v4.4.0

Here is an example bash command using the Sonic provider:

SONIC_USER_ID=12345 \
SONIC_API_KEY=4d6fbf2f9ab0fa11697470918d37625851fc0c51 \
lego run --dns sonic -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SONIC_API_KEY API Key
SONIC_USER_ID User ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SONIC_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
SONIC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SONIC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SONIC_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
SONIC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

API keys

The API keys must be generated by calling the dyndns/api_key endpoint.

Example:

$ curl -X POST -H "Content-Type: application/json" --data '{"username":"notarealuser","password":"notarealpassword","hostname":"example.com"}' https://public-api.sonic.net/dyndns/api_key
{"userid":"12345","apikey":"4d6fbf2f9ab0fa11697470918d37625851fc0c51","result":200,"message":"OK"}

See https://public-api.sonic.net/dyndns/#requesting_an_api_key for additional details.

This userid and apikey combo allow modifications to any DNS entries connected to the managed domain (hostname).

Hostname should be the toplevel domain managed e.g. example.com not www.example.com.

More information

May 5, 2026

Spaceship

Configuration for Spaceship.

  • Code: spaceship
  • Since: v4.22.0

Here is an example bash command using the Spaceship provider:

SPACESHIP_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
SPACESHIP_API_SECRET="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns spaceship -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SPACESHIP_API_KEY API key
SPACESHIP_API_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SPACESHIP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SPACESHIP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
SPACESHIP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
SPACESHIP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Stackpath

Configuration for Stackpath.

  • Code: stackpath
  • Since: v1.1.0

Here is an example bash command using the Stackpath provider:

STACKPATH_CLIENT_ID=xxxxx \
STACKPATH_CLIENT_SECRET=yyyyy \
STACKPATH_STACK_ID=zzzzz \
lego run --dns stackpath -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
STACKPATH_CLIENT_ID Client ID
STACKPATH_CLIENT_SECRET Client secret
STACKPATH_STACK_ID Stack ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
STACKPATH_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
STACKPATH_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
STACKPATH_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Syse

Configuration for Syse.

  • Code: syse
  • Since: v4.30.0

Here is an example bash command using the Syse provider:

SYSE_CREDENTIALS=example.com:password \
lego run --dns syse -d '*.example.com' -d example.com

SYSE_CREDENTIALS=example.org:password1,example.com:password2 \
lego run --dns syse -d '*.example.org' -d example.org -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
SYSE_CREDENTIALS Comma-separated list of zone:password credential pairs

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
SYSE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
SYSE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
SYSE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 1200)
SYSE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Technitium

Configuration for Technitium.

  • Code: technitium
  • Since: v4.20.0

Here is an example bash command using the Technitium provider:

TECHNITIUM_SERVER_BASE_URL="https://localhost:5380" \
TECHNITIUM_API_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns technitium -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TECHNITIUM_API_TOKEN API token
TECHNITIUM_SERVER_BASE_URL Server base URL

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TECHNITIUM_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
TECHNITIUM_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
TECHNITIUM_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
TECHNITIUM_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Technitium DNS Server supports Dynamic Updates (RFC2136) for primary zones, so you can also use the RFC2136 provider.

RFC2136 provider is much better compared to the HTTP API option from security perspective. Technitium recommends to use it in production over the HTTP API.

More information

May 5, 2026

Tele3

Configuration for Tele3.

  • Code: tele3
  • Since: v5.0.0

Here is an example bash command using the Tele3 provider:

TELE3_KEY="xxx" \
TELE3_SECRET="yyy" \
lego run --dns tele3 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TELE3_KEY Key
TELE3_SECRET Secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TELE3_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
TELE3_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
TELE3_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
TELE3_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Tencent Cloud DNS

Configuration for Tencent Cloud DNS.

  • Code: tencentcloud
  • Since: v4.6.0

Here is an example bash command using the Tencent Cloud DNS provider:

TENCENTCLOUD_SECRET_ID=abcdefghijklmnopqrstuvwx \
TENCENTCLOUD_SECRET_KEY=your-secret-key \
lego run --dns tencentcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TENCENTCLOUD_SECRET_ID Access key ID
TENCENTCLOUD_SECRET_KEY Access Key secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TENCENTCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
TENCENTCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
TENCENTCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
TENCENTCLOUD_REGION Region
TENCENTCLOUD_SESSION_TOKEN Access Key token
TENCENTCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Tencent EdgeOne

Configuration for Tencent EdgeOne.

  • Code: edgeone
  • Since: v4.26.0

Here is an example bash command using the Tencent EdgeOne provider:

EDGEONE_SECRET_ID=abcdefghijklmnopqrstuvwx \
EDGEONE_SECRET_KEY=your-secret-key \
lego run --dns edgeone -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
EDGEONE_SECRET_ID Access key ID
EDGEONE_SECRET_KEY Access Key secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
EDGEONE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
EDGEONE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 30)
EDGEONE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 1200)
EDGEONE_REGION Region
EDGEONE_SESSION_TOKEN Access Key token
EDGEONE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)
EDGEONE_ZONES_MAPPING Mapping between DNS zones and site IDs. (ex: ’example.org:id1,example.com:id2')

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Timeweb Cloud

Configuration for Timeweb Cloud.

  • Code: timewebcloud
  • Since: v4.20.0

Here is an example bash command using the Timeweb Cloud provider:

TIMEWEBCLOUD_AUTH_TOKEN=xxxxxx \
lego run --dns timewebcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TIMEWEBCLOUD_AUTH_TOKEN Authentication token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TIMEWEBCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 10)
TIMEWEBCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
TIMEWEBCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

TodayNIC/时代互联

Configuration for TodayNIC/时代互联.

  • Code: todaynic
  • Since: v4.32.0

Here is an example bash command using the TodayNIC/时代互联 provider:

TODAYNIC_AUTH_USER_ID="xxx" \
TODAYNIC_API_KEY="yyy" \
lego run --dns todaynic -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TODAYNIC_API_KEY API key
TODAYNIC_AUTH_USER_ID account ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TODAYNIC_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
TODAYNIC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
TODAYNIC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
TODAYNIC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

TransIP

Configuration for TransIP.

  • Code: transip
  • Since: v2.0.0

Here is an example bash command using the TransIP provider:

TRANSIP_ACCOUNT_NAME = "Account name" \
TRANSIP_PRIVATE_KEY_PATH = "transip.key" \
lego run --dns transip -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
TRANSIP_ACCOUNT_NAME Account name
TRANSIP_PRIVATE_KEY_PATH Private key path

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
TRANSIP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
TRANSIP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
TRANSIP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)
TRANSIP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

UCloud

Configuration for UCloud.

  • Code: ucloud
  • Since: v4.34.0

Here is an example bash command using the UCloud provider:

UCLOUD_PUBLIC_KEY="xxx" \
UCLOUD_PRIVATE_KEY="yyy" \
lego run --dns ucloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
UCLOUD_PRIVATE_KEY Private key
UCLOUD_PUBLIC_KEY Public key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
UCLOUD_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
UCLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
UCLOUD_PROJECT_ID Project ID
UCLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
UCLOUD_REGION Region
UCLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Ultradns

Configuration for Ultradns.

  • Code: ultradns
  • Since: v4.10.0

Here is an example bash command using the Ultradns provider:

ULTRADNS_USERNAME=username \
ULTRADNS_PASSWORD=password \
lego run --dns ultradns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ULTRADNS_PASSWORD API Password
ULTRADNS_USERNAME API Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ULTRADNS_ENDPOINT API endpoint URL, defaults to https://api.ultradns.com/
ULTRADNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 4)
ULTRADNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
ULTRADNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

United-Domains

Configuration for United-Domains.

  • Code: uniteddomains
  • Since: v4.29.0

Here is an example bash command using the United-Domains provider:

UNITEDDOMAINS_API_KEY=xxxxxxxx \
lego run --dns uniteddomains -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
UNITEDDOMAINS_API_KEY API key <prefix>.<secret> https://www.united-domains.de/help/faq-article/getting-started-with-the-united-domains-dns-api/

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
UNITEDDOMAINS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
UNITEDDOMAINS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
UNITEDDOMAINS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 900)
UNITEDDOMAINS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Variomedia

Configuration for Variomedia.

  • Code: variomedia
  • Since: v4.8.0

Here is an example bash command using the Variomedia provider:

VARIOMEDIA_API_TOKEN=xxxx \
lego run --dns variomedia -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VARIOMEDIA_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VARIOMEDIA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VARIOMEDIA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
VARIOMEDIA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VARIOMEDIA_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
VARIOMEDIA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Veesp

Configuration for Veesp.

  • Code: veesp
  • Since: v5.0.0

Here is an example bash command using the Veesp provider:

VEESP_USERNAME="xxxxxxxxxxxxxxxxxxxxx" \
VEESP_PASSWORD="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns vessp -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VEESP_PASSWORD Password
VEESP_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VEESP_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VEESP_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
VEESP_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VEESP_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

VegaDNS

Configuration for VegaDNS.

  • Code: vegadns
  • Since: v1.1.0
Note

Please contribute by adding a CLI example.

Credentials

Environment Variable Name Description
SECRET_VEGADNS_KEY API key
SECRET_VEGADNS_SECRET API secret
VEGADNS_URL API endpoint URL

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VEGADNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 60)
VEGADNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 720)
VEGADNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 10)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

Jan 11, 2025

Vercel

Configuration for Vercel.

  • Code: vercel
  • Since: v4.7.0

Here is an example bash command using the Vercel provider:

VERCEL_API_TOKEN=xxxxxx \
lego run --dns vercel -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VERCEL_API_TOKEN Authentication token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VERCEL_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VERCEL_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
VERCEL_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VERCEL_TEAM_ID Team ID (ex: team_xxxxxxxxxxxxxxxxxxxxxxxx)
VERCEL_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Versio.[nl|eu|uk]

Configuration for Versio.[nl|eu|uk].

  • Code: versio
  • Since: v2.7.0

Here is an example bash command using the Versio.[nl|eu|uk] provider:

VERSIO_USERNAME=<your login> \
VERSIO_PASSWORD=<your password> \
lego run --dns versio -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VERSIO_PASSWORD Basic authentication password
VERSIO_USERNAME Basic authentication username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VERSIO_ENDPOINT The endpoint URL of the API Server
VERSIO_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VERSIO_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
VERSIO_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VERSIO_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
VERSIO_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

To test with the sandbox environment set VERSIO_ENDPOINT=https://www.versio.nl/testapi/v1/

More information

May 5, 2026

VinylDNS

Configuration for VinylDNS.

  • Code: vinyldns
  • Since: v4.4.0

Here is an example bash command using the VinylDNS provider:

VINYLDNS_ACCESS_KEY=xxxxxx \
VINYLDNS_SECRET_KEY=yyyyy \
VINYLDNS_HOST=https://api.vinyldns.example.org:9443 \
lego run --dns vinyldns -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VINYLDNS_ACCESS_KEY The VinylDNS API key
VINYLDNS_HOST The VinylDNS API URL
VINYLDNS_SECRET_KEY The VinylDNS API Secret key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VINYLDNS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VINYLDNS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 4)
VINYLDNS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
VINYLDNS_QUOTE_VALUE Adds quotes around the TXT record value (Default: false)
VINYLDNS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 30)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

The vinyldns integration makes use of dotted hostnames to ease permission management. Users are required to have DELETE ACL level or zone admin permissions on the VinylDNS zone containing the target host.

More information

May 5, 2026

Virtualname

Configuration for Virtualname.

  • Code: virtualname
  • Since: v4.30.0

Here is an example bash command using the Virtualname provider:

VIRTUALNAME_TOKEN=xxxxxx \
lego run --dns virtualname -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VIRTUALNAME_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VIRTUALNAME_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VIRTUALNAME_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
VIRTUALNAME_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)
VIRTUALNAME_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

VK Cloud

Configuration for VK Cloud.

  • Code: vkcloud
  • Since: v4.9.0

Here is an example bash command using the VK Cloud provider:

VK_CLOUD_PROJECT_ID="<your_project_id>" \
VK_CLOUD_USERNAME="<your_email>" \
VK_CLOUD_PASSWORD="<your_password>" \
lego run --dns vkcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VK_CLOUD_PASSWORD Password for VK Cloud account
VK_CLOUD_PROJECT_ID String ID of project in VK Cloud
VK_CLOUD_USERNAME Email of VK Cloud account

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VK_CLOUD_DNS_ENDPOINT URL of DNS API. Defaults to https://mcs.mail.ru/public-dns but can be changed for usage with private clouds
VK_CLOUD_DOMAIN_NAME Openstack users domain name. Defaults to users but can be changed for usage with private clouds
VK_CLOUD_IDENTITY_ENDPOINT URL of OpenStack Auth API, Defaults to https://infra.mail.ru:35357/v3/ but can be changed for usage with private clouds
VK_CLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
VK_CLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VK_CLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Credential information

You can find all required and additional information on “Project/Keys” page of your cloud.

ENV Variable Parameter from page
VK_CLOUD_PROJECT_ID Project ID
VK_CLOUD_USERNAME Username
VK_CLOUD_DOMAIN_NAME User Domain Name
VK_CLOUD_IDENTITY_ENDPOINT Identity endpoint

More information

May 5, 2026

Volcano Engine/火山引擎

Configuration for Volcano Engine/火山引擎.

  • Code: volcengine
  • Since: v4.19.0

Here is an example bash command using the Volcano Engine/火山引擎 provider:

VOLC_ACCESSKEY=xxx \
VOLC_SECRETKEY=yyy \
lego run --dns volcengine -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VOLC_ACCESSKEY Access Key ID (AK)
VOLC_SECRETKEY Secret Access Key (SK)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VOLC_HOST API host
VOLC_HTTP_TIMEOUT API request timeout in seconds (Default: 15)
VOLC_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
VOLC_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 240)
VOLC_REGION Region
VOLC_SCHEME API scheme
VOLC_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Vscale

Configuration for Vscale.

  • Code: vscale
  • Since: v2.0.0

Here is an example bash command using the Vscale provider:

VSCALE_API_TOKEN=xxxxx \
lego run --dns vscale -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VSCALE_API_TOKEN API token

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VSCALE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VSCALE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
VSCALE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
VSCALE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Vultr

Configuration for Vultr.

  • Code: vultr
  • Since: v0.3.1

Here is an example bash command using the Vultr provider:

VULTR_API_KEY=xxxxx \
lego run --dns vultr -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
VULTR_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
VULTR_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
VULTR_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
VULTR_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
VULTR_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Wannafind

Configuration for Wannafind.

  • Code: wannafind
  • Since: v5.0.0

Here is an example bash command using the Wannafind provider:

WANNAFIND_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns wannafind -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WANNAFIND_API_KEY API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WANNAFIND_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WANNAFIND_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
WANNAFIND_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
WANNAFIND_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

webnames.ca

Configuration for webnames.ca.

  • Code: webnamesca
  • Since: v4.28.0

Here is an example bash command using the webnames.ca provider:

WEBNAMESCA_API_USER="xxx" \
WEBNAMESCA_API_KEY="yyy" \
lego run --dns webnamesca -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WEBNAMESCA_API_KEY API key
WEBNAMESCA_API_USER API username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WEBNAMESCA_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WEBNAMESCA_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
WEBNAMESCA_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
WEBNAMESCA_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

webnames.ru

Configuration for webnames.ru.

  • Code: webnamesru
  • Since: v4.15.0

Here is an example bash command using the webnames.ru provider:

WEBNAMESRU_API_KEY=xxxxxx \
lego run --dns webnamesru -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WEBNAMESRU_API_KEY Domain API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WEBNAMESRU_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WEBNAMESRU_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
WEBNAMESRU_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

API Key

To obtain the key, you need to change the DNS server to *.nameself.com: Personal account / My domains and services / Select the required domain / DNS servers

The API key can be found: Personal account / My domains and services / Select the required domain / Zone management / acme.sh or certbot settings

More information

May 5, 2026

Websupport

Configuration for Websupport.

  • Code: websupport
  • Since: v4.10.0

Here is an example bash command using the Websupport provider:

WEBSUPPORT_API_KEY="xxxxxxxxxxxxxxxxxxxxx" \
WEBSUPPORT_SECRET="yyyyyyyyyyyyyyyyyyyyy" \
lego run --dns websupport -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WEBSUPPORT_API_KEY API key
WEBSUPPORT_SECRET API secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WEBSUPPORT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WEBSUPPORT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
WEBSUPPORT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
WEBSUPPORT_SEQUENCE_INTERVAL Time between sequential requests in seconds (Default: 60)
WEBSUPPORT_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

WEDOS

Configuration for WEDOS.

  • Code: wedos
  • Since: v4.4.0

Here is an example bash command using the WEDOS provider:

WEDOS_USERNAME=xxxxxxxx \
WEDOS_WAPI_PASSWORD=xxxxxxxx \
lego run --dns wedos -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WEDOS_USERNAME Username is the same as for the admin account
WEDOS_WAPI_PASSWORD Password needs to be generated and IP allowed in the admin interface

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WEDOS_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WEDOS_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
WEDOS_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 600)
WEDOS_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

West.cn/西部数码

Configuration for West.cn/西部数码.

  • Code: westcn
  • Since: v4.21.0

Here is an example bash command using the West.cn/西部数码 provider:

WESTCN_USERNAME="xxx" \
WESTCN_PASSWORD="yyy" \
lego run --dns westcn -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
WESTCN_PASSWORD API password
WESTCN_USERNAME Username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
WESTCN_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
WESTCN_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 10)
WESTCN_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 120)
WESTCN_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Xinnet

Configuration for Xinnet.

  • Code: xinnet
  • Since: v5.0.0

Here is an example bash command using the Xinnet provider:

XINNET_SECRET="xxx" \
XINNET_AGENT_ID="agent12345" \
lego run --dns xinnet -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
XINNET_AGENT_ID Agent ID
XINNET_SECRET Application secret

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
XINNET_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
XINNET_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
XINNET_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
XINNET_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Yandex 360

Configuration for Yandex 360.

  • Code: yandex360
  • Since: v4.14.0

Here is an example bash command using the Yandex 360 provider:

YANDEX360_OAUTH_TOKEN=<your OAuth Token> \
YANDEX360_ORG_ID=<your organization ID> \
lego run --dns yandex360 -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
YANDEX360_OAUTH_TOKEN The OAuth Token
YANDEX360_ORG_ID The organization ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
YANDEX360_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
YANDEX360_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
YANDEX360_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
YANDEX360_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 21600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Yandex Cloud

Configuration for Yandex Cloud.

  • Code: yandexcloud
  • Since: v4.9.0

Here is an example bash command using the Yandex Cloud provider:

YANDEX_CLOUD_IAM_TOKEN=<base64_IAM_token> \
YANDEX_CLOUD_FOLDER_ID=<folder/project_id> \
lego run --dns yandexcloud -d '*.example.com' -d example.com

# ---

YANDEX_CLOUD_IAM_TOKEN=$(echo '{ \
  "id": "<string id>", \
  "service_account_id": "<string id>", \
  "created_at": "<datetime>", \
  "key_algorithm": "RSA_2048", \
  "public_key": "-----BEGIN PUBLIC KEY-----<rsa public key>-----END PUBLIC KEY-----", \
  "private_key": "-----BEGIN PRIVATE KEY-----<rsa private key>-----END PRIVATE KEY-----" \
}' | base64) \
YANDEX_CLOUD_FOLDER_ID=<yandex cloud folder(project) id> \
lego run --dns yandexcloud -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
YANDEX_CLOUD_FOLDER_ID The string id of folder (aka project) in Yandex Cloud
YANDEX_CLOUD_IAM_TOKEN The base64 encoded json which contains information about iam token of service account with dns.admin permissions

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
YANDEX_CLOUD_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
YANDEX_CLOUD_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
YANDEX_CLOUD_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

IAM Token

The simplest way to retrieve IAM access token is usage of yc-cli, follow docs to get it

yc iam key create --service-account-name my-robot --output key.json
cat key.json | base64

More information

May 5, 2026

Yandex PDD

Configuration for Yandex PDD.

  • Code: yandex
  • Since: v3.7.0

Here is an example bash command using the Yandex PDD provider:

YANDEX_PDD_TOKEN=<your PDD Token> \
lego run --dns yandex -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
YANDEX_PDD_TOKEN Basic authentication username

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
YANDEX_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
YANDEX_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
YANDEX_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
YANDEX_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 21600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Zilore

Configuration for Zilore.

  • Code: zilore
  • Since: v5.0.0

Here is an example bash command using the Zilore provider:

ZILORE_ACCESS_KEY="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns zilore -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ZILORE_ACCESS_KEY Access key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ZILORE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ZILORE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ZILORE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ZILORE_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Zone.ee

Configuration for Zone.ee.

  • Code: zoneee
  • Since: v2.1.0

Here is an example bash command using the Zone.ee provider:

ZONEEE_API_USER=xxxxx \
ZONEEE_API_KEY=yyyyy \
lego run --dns zoneee -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ZONEEE_API_KEY API key
ZONEEE_API_USER API user

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ZONEEE_ENDPOINT API endpoint URL
ZONEEE_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ZONEEE_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 5)
ZONEEE_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 300)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

ZoneEdit

Configuration for ZoneEdit.

  • Code: zoneedit
  • Since: v4.25.0

Here is an example bash command using the ZoneEdit provider:

ZONEEDIT_USER="xxxxxxxxxxxxxxxxxxxxx" \
ZONEEDIT_AUTH_TOKEN="xxxxxxxxxxxxxxxxxxxxx" \
lego run --dns zoneedit -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ZONEEDIT_AUTH_TOKEN Authentication token
ZONEEDIT_USER User ID

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ZONEEDIT_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ZONEEDIT_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ZONEEDIT_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information

May 5, 2026

Zonomi

Configuration for Zonomi.

  • Code: zonomi
  • Since: v3.5.0

Here is an example bash command using the Zonomi provider:

ZONOMI_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
lego run --dns zonomi -d '*.example.com' -d example.com

Credentials

Environment Variable Name Description
ZONOMI_API_KEY User API key

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

Additional Configuration

Environment Variable Name Description
ZONOMI_HTTP_TIMEOUT API request timeout in seconds (Default: 30)
ZONOMI_POLLING_INTERVAL Time between DNS propagation check in seconds (Default: 2)
ZONOMI_PROPAGATION_TIMEOUT Maximum waiting time for DNS propagation in seconds (Default: 60)
ZONOMI_TTL The TTL of the TXT record used for the DNS challenge in seconds (Default: 3600)

The environment variable names can be suffixed by _FILE to reference a file instead of a value. More information here.

More information