ACME DNS Challenge Delegation as a Service

Get your SSL/TLS certificates via DNS-01 validation without managing DNS infrastructure. Just set a CNAME and we handle the rest.

Start for Free
# Point your ACME challenge to our server
$ _acme-challenge.yourdomain.com. CNAME token123.acmedns.org.

# That's it. Your ACME client handles the rest.

How it works

1

Create a CNAME record

Point _acme-challenge.yourdomain.com to the unique delegation target we provide you (e.g. abc123.auth.acmedns.org).

2

Request your certificate

Use any ACME client (certbot, acme.sh, Caddy, etc.) and select DNS-01 challenge. The client contacts the CA.

3

We respond to the challenge

The CA queries your CNAME, which resolves to our server. We automatically provide the correct TXT response to validate your domain.

4

Certificate issued

The CA verifies the response, issues your certificate, and your ACME client installs it. Done. Fully automated renewals work the same way.

Why use acmedns.org

~

No DNS API needed

Works with any DNS provider. You only need to set a single CNAME record once. No API credentials, no complex DNS provider plugins.

*

Wildcard certificates

DNS-01 is the only ACME challenge type that supports wildcard certificates. Get *.yourdomain.com with ease.

#

No port 80/443 required

Unlike HTTP-01, DNS validation doesn't require any open ports. Perfect for internal servers, firewalled hosts, or load-balanced setups.

>

Set it and forget it

One-time CNAME setup. All future certificate issuances and renewals work automatically without any DNS changes.

+

Multi-domain support

Up to 500 domains per subscription. Manage all your domains' SSL certificates through a single service.

@

Any ACME client

Compatible with certbot, acme.sh, lego, Caddy, Traefik, and any other client that supports DNS-01 challenges.

Security Notice

Important: Understand what you are delegating

By creating a CNAME for _acme-challenge.yourdomain.com pointing to our service, you are delegating the ability to respond to ACME DNS-01 challenges for your domain to us.

  • This means our service can prove control over your domain to any ACME-compatible Certificate Authority.
  • We can only respond to _acme-challenge TXT queries — we have no access to your other DNS records, your website, or your server.
  • We cannot intercept, redirect, or modify any of your traffic.
  • Certificates issued are logged in public Certificate Transparency (CT) logs, so any issuance is fully auditable.
  • You can revoke delegation at any time by removing the CNAME record.

Solution: Restrict certificate issuance with CAA records

You can further secure your domain by setting a CAA (Certification Authority Authorization) DNS record. This restricts which CAs can issue certificates for your domain and can even limit issuance to your specific ACME account:

yourdomain.com. CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456; validationmethods=dns-01"

This ensures that only your own ACME account can request certificates for your domain — even if the DNS-01 challenge is delegated to us. Replace 123456 with your actual Let's Encrypt account ID.

We take this trust seriously. Our infrastructure is hardened, access-controlled, and monitored. However, as with any delegation, you should understand the trust relationship involved.

Pricing

Free Trial

Try it out, no credit card required

Free
30 days
  • Up to 5 domains
  • Unlimited certificate issuances
  • Wildcard certificate support
  • All ACME clients supported
  • Email support
Start Free Trial
Most Popular

Professional

For professionals and businesses

€49.90
/ year
  • Up to 500 domains
  • Unlimited certificate issuances
  • Wildcard certificate support
  • All ACME clients supported
  • Email support
Order Subscription
14-day money-back guarantee — no questions asked.