Table of Contents
Getting Started
ACME Clients
Service Overview
RWTS ACME DNS is a centralized DNS-01 challenge service that allows you to obtain SSL/TLS certificates for domains without exposing your internal DNS infrastructure. This is particularly useful for:
- Internal services - Get certificates for services not exposed to the internet
- Wildcard certificates - DNS-01 is required for wildcard certificates
- Automation - Centralized certificate management across multiple systems
- Security - No need to expose internal DNS servers
How It Works
- Register your domain with our service using your API key
- Add a CNAME record pointing to our DNS server
- Configure your ACME client to use our service
- Request certificates - the challenges are handled automatically
Note: You only need to set up the CNAME record once per domain. After that, all certificate requests are handled automatically.
Quick Start Guide
Step 1: Get Your API Key
Contact your administrator to obtain an API key for this service.
Step 2: Register Your Domain
Use the main interface to register your domain and get configuration files.
Step 3: Configure DNS
Add the CNAME record shown in the registration results to your domain's DNS.
Step 4: Set Up Your ACME Client
Configure certbot, acme.sh, or another ACME client using the downloaded configuration files.
Getting an API Key
API keys are required to use this service and must be obtained from your system administrator. Each API key:
- Is unique to your organization or project
- Has usage tracking and rate limiting
- May have an expiration date
- Can be revoked if compromised
Security: Treat your API key like a password. Store it securely and never share it in public repositories or logs.
Registering Domains
Using the Web Interface
- Go to the main page
- Select "Register New Domain"
- Enter your API key and domain name
- Click "Register Domain"
- Download the configuration files provided
Using the API Directly
curl -X POST https://acmedns.realworld.net.au/api/register \
-H "X-API-Key: your-api-key-here" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'
The response will include:
- subdomain - Your unique subdomain for challenges
- username/password - Credentials for ACME client configuration
- fulldomain - The full domain for ACME clients
DNS Configuration
After registering your domain, you need to add a CNAME record to your DNS. This tells the ACME service where to find your domain's challenge responses.
CNAME Record Format
Examples
For domain: example.com
For subdomain: api.example.com
For wildcard: *.example.com
Tip: You can verify your CNAME record with: dig _acme-challenge.yourdomain.com CNAME
Looking Up Configurations
If you've already registered a domain and need to retrieve the configuration:
Using the Web Interface
- Go to the main page
- Select "Look Up Configuration"
- Enter your API key and domain name
- View and download your configuration
Using the API
curl -X POST https://acmedns.realworld.net.au/api/lookup \
-H "X-API-Key: your-api-key-here" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'
Certbot Setup
Installation
# Install certbot and acme-dns plugin pip install certbot certbot-dns-acmedns
Configuration
Create /etc/acmedns.ini with your credentials:
dns_acmedns_api_url = https://acmedns.realworld.net.au dns_acmedns_registration_file = /etc/acmedns-registration.json
Create /etc/acmedns-registration.json with your domain registration:
{
"example.com": {
"username": "your-username",
"password": "your-password",
"fulldomain": "your-subdomain.acmedns.realworld.net.au",
"subdomain": "your-subdomain",
"allowfrom": []
}
}
Usage
# Get a certificate certbot certonly \ --dns-acmedns \ --dns-acmedns-credentials /etc/acmedns.ini \ -d example.com # Get a wildcard certificate certbot certonly \ --dns-acmedns \ --dns-acmedns-credentials /etc/acmedns.ini \ -d "*.example.com" -d example.com
Note: Use the configuration files downloaded from our service to populate these files automatically.
acme.sh Setup
Installation
curl https://get.acme.sh | sh
Configuration
Set up environment variables with your ACME DNS credentials:
export ACMEDNS_BASE_URL="https://acmedns.realworld.net.au" export ACMEDNS_USERNAME="your-username" export ACMEDNS_PASSWORD="your-password" export ACMEDNS_SUBDOMAIN="your-subdomain"
Usage
# Get a certificate acme.sh --issue --dns dns_acmedns -d example.com # Get a wildcard certificate acme.sh --issue --dns dns_acmedns -d "*.example.com" -d example.com
Lego Setup
Installation
# Download from https://github.com/go-acme/lego/releases # Or install with Go: go install github.com/go-acme/lego/v4/cmd/lego@latest
Configuration
Set environment variables:
export ACME_DNS_API_BASE="https://acmedns.realworld.net.au" export ACME_DNS_STORAGE_PATH="/path/to/acmedns-registration.json"
Usage
# Get a certificate lego --dns acme-dns --domains example.com --email you@example.com run # Get a wildcard certificate lego --dns acme-dns --domains "*.example.com" --email you@example.com run
Direct API Usage
Available Endpoints
POST /api/register
Register a new domain
-H "X-API-Key: your-key" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'
POST /api/lookup
Look up existing domain configuration
-H "X-API-Key: your-key" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'
GET /api/info
Get information about your API key
https://acmedns.realworld.net.au/api/info
GET /api/health
Check service health
Rate Limits
- Domain Registration: 10 per minute
- Config Lookup: 20 per minute
- Key Info: 30 per minute
- Overall: 50 per hour, 200 per day
Troubleshooting
Common Issues
Certificate Request Fails
- Verify CNAME record is correctly configured
- Check that the CNAME points to the correct subdomain
- Ensure DNS propagation has completed (can take up to 48 hours)
- Test with:
dig _acme-challenge.yourdomain.com CNAME
API Key Issues
- Check that your API key hasn't expired
- Verify you're using the correct API key format
- Contact your administrator if the key appears invalid
- Check rate limits - you may need to wait before retrying
Configuration File Issues
- Ensure file permissions are correct (600 for credential files)
- Verify JSON format in registration files
- Check file paths in configuration files
- Re-download files if they appear corrupted
Getting Help
If you continue to experience issues:
- Check the service status at the health endpoint
- Review your API key information at the main interface
- Contact your system administrator with specific error messages
- Include your domain name and API key ID (not the full key) when reporting issues
Best Practices
Security
- Protect your API key - Store securely, don't commit to repositories
- Use appropriate file permissions - 600 for credential files
- Rotate keys regularly - Contact admin for key rotation
- Monitor usage - Check your key info regularly for unexpected usage
Automation
- Use systemd timers or cron - For automatic certificate renewal
- Implement proper error handling - Log failures and alert on issues
- Test renewals - Use --dry-run flags to test configurations
- Monitor expiration - Set up alerts for certificate expiration
Performance
- Respect rate limits - Don't exceed API limits
- Cache registrations - Only register domains once
- Use wildcard certificates - When appropriate for multiple subdomains
- Plan renewals - Spread renewal times to avoid rate limits