Your question
I’m busy from scratch setup a Stalwart deployment (okay, I attempted using Claude.Code for getting things going…) and the one thing that I noticed is that there are now ~60 DNS providers, but nothing for acme-dns as implemented in GitHub - acme-dns/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. · GitHub as a method to not provide DNS API keys to stalwart/caddy/etc.
What are the plans for adding something like acme-dns together with the current dns crate?
If I were to implement it myself, I assume it’ll have to be done with my own certbot or acme.sh and hook scripts. Is there any documentation already written for this solution?
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Here’s the current picture:
Stalwart does not have a built-in acme-dns (acme-dns/acme-dns) provider. The DNS-01 challenge support in Stalwart works by having Stalwart write _acme-challenge TXT records directly through one of its supported DNS providers (Cloudflare, Route 53, Google Cloud DNS, OVH, deSEC, DigitalOcean, Bunny DNS, Porkbun, DNSimple, Spaceship, or a BIND-compatible server via RFC 2136 TSIG/SIG0). The acme-dns project acts as a CNAME delegation target with its own minimal API, but that API is not among the current integrations.
For your workaround using an external tool (certbot / acme.sh with acme-dns hooks): the clean path is to use Stalwart’s Manual certificate mode. Once your external tool issues/renews the certificate, you upload the PEM certificate and private key into a Certificate object via the WebUI (Settings > TLS > Certificates). Stalwart matches incoming TLS connections by SNI against the SANs of every installed certificate automatically, so there is no binding step. For renewals, you simply overwrite the existing Certificate record’s certificate and privateKey fields (or add a new Certificate with the same SAN set before the old one expires). You can also point those fields at a file path on disk, which makes it easy to wire in a certbot/acme.sh deploy hook that writes the renewed files and then triggers a task.
There is no specific documentation for the acme-dns + external-ACME-client workflow, but the manual certificate docs cover everything Stalwart’s side needs:
As for adding acme-dns as a native Stalwart DNS provider, that would be a feature request - a human community or staff member can speak to the roadmap.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
Okay, the question then whether developers will include this in future?
There’s no acme-dns provider in dns-update today and no plan for one as it does not offer all the features that Stalwart needs for DNS management. The
nearest existing primitive is the RFC 2136 provider, which Stalwart already
use.
yeah, for the "big picture I agree, the question was specific to the DNS-AUTH part of ACME certificates.