challenges.addr.tools - dns-01 ACME challenge helper zone
$ curl -d "foo" "https://challenges.addr.tools/1SuperSecretPassphrase" 9afcdffa…086ca968.challenges.addr.tools
$ dig 9afcdffa…086ca968.challenges.addr.tools txt +short "foo"
The DNS zone "challenges.addr.tools" is meant to ease the use of dns-01 ACME challenges in automated or batch TLS certificate issuance from certificate authorities such as Let's Encrypt.
Let ‹challenge› be a dns-01 ACME challenge validation string, ‹secret› be a random alphanumeric string (or Base64) of at least 14 characters in length, and ‹sha224› be the SHA-224 hash of ‹secret›.
A POST to "https://
A GET to "https://
"‹sha224›.challenges.addr.tools" is meant to be the target of a CNAME at your "_acme-challenge" subdomain.
Say you want to obtain a wildcard TLS certificate for example.com from Let's Encrypt using Certbot.
First, pick a random alphanumeric string. This string acts like a password and must be at least 14 characters long.
We'll use "1SuperSecretPassphrase".
Add a CNAME record to point "_acme-challenge.example.com" to the subdomain of "challenges.addr.tools" named by
calculating the SHA-224 of "1SuperSecretPassphrase". This should look similar to:
Now when Let's Encrypt queries "_acme-challenge.example.com" for the challenge TXT record, they will follow the CNAME
to "9afcdffa…086ca968.challenges.addr.tools". We can give Certbot a command to automatically add the challenge TXT
record to that domain:
$ certbot certonly \
--manual \
--manual-auth-hook 'curl -d "$CERTBOT_VALIDATION" "https://challenges.addr.tools/1SuperSecretPassphrase"' \
--preferred-challenges dns \
-d example.com \
-d '*.example.com'
EXAMPLE
Name: _acme-challenge.example.com
Type: CNAME
Target: 9afcdffa0d7a6d6f0140cadea70a9f62d58a96dd5d50f268086ca968.challenges.addr.tools
SEE ALSO