acme.sh DNS Plugin
The dns_nsin plugin lets acme.sh solve the ACME DNS-01 challenge by creating and removing _acme-challenge TXT records on your NSIN zone automatically. This is the way to get wildcard certificates (*.example.com), which require DNS validation.
It authenticates with an API key — the same key you use for the REST API — so there are no separate DNS credentials to manage.
Requirements
Section titled “Requirements”- Your domain is on NSIN and its records are managed here (NSIN is authoritative for the zone).
- A non read-only API key. DNS-01 creates and deletes TXT records, so a read-only key will be rejected on the write. Create one at panel.nsin.ir → Settings → API Keys.
Install
Section titled “Install”Download the plugin: dns_nsin.sh
Copy it into your acme.sh dnsapi/ directory (~/.acme.sh/dnsapi/), or use it in place if you have the acme.sh source checked out:
curl -o ~/.acme.sh/dnsapi/dns_nsin.sh https://nsin.ir/docs/dns_nsin.shConfigure
Section titled “Configure”Export your key once — acme.sh saves it to account.conf and reuses it on every renewal:
export NSIN_Api_Key="nsin_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"| Variable | Required | Description |
|---|---|---|
NSIN_Api_Key | yes | Your NSIN API key (starts with nsin_, not read-only). |
NSIN_Api | no | Override the API base URL. Defaults to https://api.nsin.ir. |
Issue a certificate
Section titled “Issue a certificate”# Single hostnameacme.sh --issue --dns dns_nsin -d example.com -d www.example.com
# Wildcard (requires DNS-01)acme.sh --issue --dns dns_nsin -d example.com -d '*.example.com'acme.sh calls the plugin to add each _acme-challenge TXT record, waits for propagation, then removes the records after validation. Wildcard and apex challenges share the same name (_acme-challenge) with two different values — the plugin adds each as its own record and removes them individually, so both are handled correctly.
How it works
Section titled “How it works”- Add —
POST /domains/{domain}/records/with{"name":"_acme-challenge","type":"TXT","destination":"<value>"}. - Remove — lists records, finds the TXT whose value matches the challenge, and calls
DELETE /domains/{domain}/records/{id}.
The plugin auto-detects the registrable zone by matching the challenge name against your account’s domain list, so subdomain certs (_acme-challenge.sub.example.com) work without extra configuration.
Troubleshooting
Section titled “Troubleshooting”read-only API key/403— the key is read-only; create a new key with write access.invalid domain— the domain isn’t in your NSIN account, or the key’s user doesn’t have access to it. Confirm it appears inGET /domains/.- Validation fails — DNS may not have propagated yet. Add
--dnssleep 60(or higher) so acme.sh waits before asking the CA to validate. - Run with
--debug 2to see the exact API requests and responses.