For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Icon for Cirrocumulus rank

Cirrocumulus

Nov 25, 2025

ACME DNS RFC-2136 Let's Encrypt certs

I've been pushing on certbot to handle CNAME entries when ordering certs, and finally given up.

This repo contains scripts that:

Create an ACME account with Let's Encrypt
use TSIG credentials to talk to bind (RFC-2136)
create TXT record in correct zone by following CNAME and SOA entries if present
downloads certs
installs certs on one or more F5s.

The F5 credentials requires Administrator rights as Certificate Manager can't upload files.

https://github.com/timriker/certmgr

CNAME records are recommended to a zone with minimal or no replication and a low TTL. ie:

_acme-challenge.example.com CNAME example.com._tls.example.com
_acme-challenge.example.net CNAME example.net._tls.example.com
_tls.example.com would have one name server and 30 second TTL or so
a TSIG key would be created that only needs update access to _tls.example.com

Comments welcome. JRahm I'm looking at you. 😎

More info:

https://letsencrypt.org/docs/challenge-types/

1 Reply

TimRiker
Cirrocumulus
Dec 09, 2025
Posted some bug fixes and updated the documentation.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

F5 Academy at AppWorld 2026

DevCentral News

Introducing the F5 AI Assistant for BIG-IP

Technical Articles

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5