Forum Discussion

Icon for Cirrocumulus rank

Cirrocumulus

Nov 25, 2025

ACME DNS RFC-2136 Let's Encrypt certs

I've been pushing on certbot to handle CNAME entries when ordering certs, and finally given up.

This repo contains scripts that:

Create an ACME account with Let's Encrypt
use TSIG credentials to talk to bind (RFC-2136)
create TXT record in correct zone by following CNAME and SOA entries if present
downloads certs
installs certs on one or more F5s.

The F5 credentials requires Administrator rights as Certificate Manager can't upload files.

https://github.com/timriker/certmgr

CNAME records are recommended to a zone with minimal or no replication and a low TTL. ie:

_acme-challenge.example.com CNAME example.com._tls.example.com
_acme-challenge.example.net CNAME example.net._tls.example.com
_tls.example.com would have one name server and 30 second TTL or so
a TSIG key would be created that only needs update access to _tls.example.com

Comments welcome. JRahm I'm looking at you. 😎

More info:

https://letsencrypt.org/docs/challenge-types/

1 Reply

TimRiker
Cirrocumulus
Dec 09, 2025
Posted some bug fixes and updated the documentation.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

Bram - January 2026 Featured Member

DevCentral News

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

Community Articles

application delivery

container ingress services

F5 Architecture Track Sessions - AppWorld 2026

DevCentral News

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5