Tools implementing deSEC

peter · July 21, 2024, 10:06pm

I vaguely recall that for certbot, there’s something like you are doing for acme.sh (thanks for pushing this!), but I can’t find it just now. Will update this post if I find it.

That said, it eludes me why one should rotate the private key frequently. OTOH, exercising the process might be enough justification in itself …

Stay secure,
Peter

peter · July 22, 2024, 1:57am

https://github.com/tlsaware/danebot:

danebot is a certbot wrapper that helps to avoid SMTP outages due to mismatched TLSA records resulting from a Let’s Encrypt automated certificate renewal.

@mdbraber

franz · August 22, 2024, 8:06am

Hi there!

If you are still using dehydrated - like me - the following hook might be interesting:

dehydrated_desec

dfsdr43 · January 13, 2025, 11:01pm

Cloudron recently added support for using domains hosted on deSEC. They are currently facing some issues regarding DNS-based Let’s Encrypt challenges timing out. Cloudron is an amazing product that I think aligns with the ethos of deSEC. Maybe someone has an idea how they could solve their issue and bring full deSEC support?

peter · January 14, 2025, 12:43pm

Thanks, I’ve included it in the top post.

Stay secure,
Peter

quite · January 30, 2025, 10:58am

uacme has a 3rd party hook for doing DNS-01 challenge; GitHub - ndilieto/uacme: ACMEv2 client written in plain C with minimal dependencies

peter · January 30, 2025, 12:00pm

Hi quite,

Thanks for your message, and welcome to deSEC!

We’ve added your suggestion to the list at the top.

Stay secure,
Peter

FilleMang · May 15, 2025, 1:50pm

Created this quick and dirty script. May save time for someone.
Noob friendy, will guide you.

Intended to be used with

KapernMagIchNicht · May 16, 2025, 8:08am

DynDNS shell script for deSEC:

peter · May 23, 2025, 1:05pm

@FilleMang @KapernMagIchNicht We’ve included your suggestions in the top post!

Stay secure,
Peter

pinguino · May 24, 2025, 10:23am

Hi there, I’ve been using deSEC for a year and decided to write a webhook provider for ExternalDNS.
Still under development, but contributions are welcome

al-desecnone.at · September 23, 2025, 2:08pm

Ferron

Ferron v2 ( GitHub - ferronweb/ferron at develop-2.x ) supports also deSEC.

    auto_tls
    auto_tls_contact "E-MAIL"
    auto_tls_cache "letsencrypt-cache"
    auto_tls_letsencrypt_production
    auto_tls_challenge "dns-01" provider="desec" api_token="TOKEN"

Stalwart

Stalwart dns-update (GitHub - stalwartlabs/dns-update: Dynamic DNS update library for Rust) and therfore Stalwart ( GitHub - stalwartlabs/stalwart: All-in-one Mail & Collaboration server. Secure, scalable and fluent in every protocol (IMAP, JMAP, SMTP, CalDAV, CardDAV, WebDAV). ). But there is sometimes an progagation timeout. Disscussion at TLS ACME provider deSEC returns "Bad request" · stalwartlabs/stalwart · Discussion #2098 · GitHub

Tip for Caddy

https://*.DOMAIN:8443 {
        log
        log_skip /health
        log_skip /metrics

        tls {
                dns desec {
                        token "TOKEN"
                }
                propagation_delay 2m
        }
        respond /health 200 {
                close
        }

        encode {
                br 8 15
                gzip 5
                zstd
        }

        root "/wwwroot/"

        file_server {
                precompressed br gzip
        }
}

peter · October 3, 2025, 12:39am

Hi @al-desecnone.at,

Welcome to deSEC, and thanks for your message!

What would be a good link to include in the top post of this thread (such as: documentation how to use deSEC with Ferron)?

Stay secure,
Peter

al-desecnone.at · October 3, 2025, 10:56am

I would say this Link is the best one Automatic TLS - Ferron

peter · October 9, 2025, 2:22pm

Done!

Stay secure,
Peter