8x48/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2026-05-18 11:53:56 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Page: DNS persist mode
Pages
ARI Actalis.com CA Blogs and tutorials BuyPass.com CA CA Change of default CA to ZeroSSL Code of conduct DNS API Dev Guide DNS API Structural Info description DNS API Test DNS alias mode DNS manual mode DNS persist mode Deploy ssl certs to apache server Deploy ssl certs to nginx Deploy ssl to SolusVM Donate list Enable acme.sh log Exit Codes Explicitly use DOH Google Public CA Google Trust Services CA Home How to debug acme.sh How to install How to issue a cert How to run on DD WRT with lighttpd How to run on OpenWrt How to use Amazon Route53 API How to use Azure DNS How to use OVH domain api How to use Oracle Cloud Infrastructure DNS How to use lexicon DNS API How to use on Solaris based operating sytsems How to use on embedded FreeBSD Install in China Install on Windows Install preparations Issue a cert from existing CSR OVH Success Options and Params Preferred Chain Profile selection Run acme.sh in docker SSL.com CA Server Simple guide to add TLS cert to cpanel Stateless Mode Synology NAS Guide Synology RT1900ac and RT2600ac install guide TLS ALPN without downtime Usage on Tomato routers Use DNS Exit DNS API Using pre hook post hook renew hook reloadcmd Using systemd units instead of cron Utilize multiple DNS API keys Validity ZeroSSL.com CA _Footer_ debug in VM deploy to docker containers deployhooks dnsapi dnsapi2 dnscheck dnssleep how about the private key access modes, chmod, or chown or umask ipcert notify openvpn2.4.7服务端和客户端使用注意 revokecert sudo tlsa next key 如何安装 说明
Clone
1
DNS persist mode
neil edited this page 2026-05-01 15:12:07 +02:00
Table of Contents

DNS persist mode lets you publish a single, long-lived TXT record once in your zone and then issue / renew certificates forever without further DNS edits — including unattended cron renewals.

It implements draft-ietf-acme-dns-persist-01, an IETF draft that defines a persistent DNS authorization record at _validation-persist.<your-domain>.

Why use it

DNS validation has historically forced a tradeoff:

Mode Auto-renewal Needs API access
DNS API mode Yes Required
DNS manual mode No (manual every renewal) Not needed
DNS persist mode Yes Not needed

If your DNS provider does not offer an API, but you can edit your zone once, DNS persist is the right mode. Renewals are fully automatic afterwards.

Step 1: Print the TXT record value

acme.sh --make-dns-persist-value -d example.com

You'll get an output like:

TXT persist domain:_validation-persist.example.com
TXT persist value :"letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456789"

The TXT value is human-readable text in the syntax of RFC 8659 §4.2:

issuer-domain-name; accounturi=<your-account-uri>[; policy=wildcard]

If the CA's directory advertises multiple caaIdentities (e.g. ZeroSSL lists sectigo.com, trust-provider.com, etc.), one TXT record per identity is printed — you only need to add ANY ONE of them.

Optional flags for --make-dns-persist-value

Flag Description
--server <ca> Pick the CA. The account is registered automatically if you have not used this CA before. Default is your configured default CA.
--dns-persist-wildcard Adds policy=wildcard to the record so it also authorizes wildcard / subdomain certs.
--dns-persist-ca-name <name> Use a specific CA identity domain (e.g. ssl.com). If omitted, identities are read from the ACME directory's caaIdentities field.
--dns-persist-days <N> Adds a persistUntil field to the record so it self-expires N days from now. After that timestamp, the CA will refuse new validations against this record. Useful if you want a time-bounded authorization. Omit for a record with no expiry.

Examples:

# Let's Encrypt
acme.sh --make-dns-persist-value -d example.com --server letsencrypt

# Wildcard policy (also authorizes *.example.com)
acme.sh --make-dns-persist-value -d example.com --dns-persist-wildcard

# Force a specific issuer name
acme.sh --make-dns-persist-value -d example.com --dns-persist-ca-name "ssl.com"

# Self-expire the authorization after 365 days
acme.sh --make-dns-persist-value -d example.com --dns-persist-days 365

Step 2: Add the TXT record at your DNS provider

Use whatever interface your DNS provider gives you to add the TXT record. The name is _validation-persist.<your-domain> and the value is the quoted string from the previous step.

Wait for DNS propagation (usually a few minutes).

Step 3: Issue the certificate

acme.sh --issue -d example.com --dns-persist

The CA reads your persistent TXT record directly — no challenge token is provisioned during issuance. This is the key difference vs. dns-01 / DNS API modes.

Renewal

Cron will renew automatically — the same TXT record is reused forever. Combined with ARI, the CA also picks the renewal time for you, so the entire lifecycle is unattended.

# Manual renewal also works:
acme.sh --renew -d example.com

Trust model & security notes

The persistent TXT record contains your ACME account URI. This means:

  • Only the holder of the corresponding ACME account key (i.e. you, on this machine) can issue certs for your domain through this record.
  • Anyone reading your DNS sees your account URI. The account URI itself is not a secret — it identifies the account, but you also need the matching private key to use it. No issue.
  • If you lose your ACME account key (for example, you reinstall and don't restore ~/.acme.sh/), the TXT record becomes useless. You'll need to print and re-publish a new one with the new account.
  • If you want to revoke this authorization, simply delete the TXT record.

Wildcard policy

By default the record only authorizes the exact FQDN. Add policy=wildcard (via --dns-persist-wildcard) to additionally authorize:

  • The base domain
  • *.<base domain> wildcards
  • Specific subdomains under it

Compatibility

DNS persist is an IETF draft. Check that your CA implements it before relying on it.

Related