Secure automated certbot DNS-01 validation?


We’re looking to perform secure, automated DNS-01 validation via certbot/LetsEncrypt as we’d like to use a wildcard cert.

I don’t see a way in Cloudflare to limit access to a single TXT record.

Just wondering if anyone has found a good, secure, inexpensive way to do this that in case of the API key being stolen won’t result in free reign of our DNS zone being given to an attacker.

I do not think there is a good way to do this today. I asked my CSE about exactly this restriction recently, as I expect it is relatively common to have to use DNS-01 without wanting to expose the complete DNS zone to modification.

You could build your own API using Workers to do something similar, with your own (i.e. non Cloudflare) API keys being accepted by your own app, and proxying authorised requests to the Cloudflare API. You would have to build your own validation hook script to use with or similar client. (No idea if putting API keys inside a worker is a good or bad idea.)


My frustration is that they were SO CLOSE! They started working on API tokens but it sounds like they decided that constraining API tokens to a single record was not useful to their users.

It looks like what we’ll likely do is either use ACME-DNS ( and delegate the TXT record to it, or just set up a machine inside our network that can only get out and have it perform the necessary modifications.

The impression I got from my CSE was that API tokens are a work in progress, and that more granular control will come eventually (for some definition of ‘eventually’).

1 Like

That would be great, and I hope they go that route. Thanks for the info.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.