DNS-PERSIST-01 Challenge

This guide explains how to get and renew a certificate with the DNS-PERSIST-01 challenge.

Note

The RFC is still a draft.
This is currently not available in most CA production.

Important

This challenge could be less secure than DNS-01 due to its requirements.

This is especially true if your DNS provider does not offer any way to limit the access controls to the specific persistent record required by the DNS-PERSIST-01 challenge.

7. Security Considerations
9.5. DNS Provider Considerations

The security of this challenge relies primarily on protecting your account’s private key.

Execute the following command:

lego run -d 'example.com' --dns-persist

Create a .lego.yml file with the following content:

certificates:
  foo:
    challenge: dns-persist-01
    domains:
      - example.com

And execute:

lego