رفتن به محتوا

acme.sh DNS Plugin

این محتوا هنوز به زبان شما در دسترس نیست.

The dns_nsin plugin lets acme.sh solve the ACME DNS-01 challenge by creating and removing _acme-challenge TXT records on your NSIN zone automatically. This is the way to get wildcard certificates (*.example.com), which require DNS validation.

It authenticates with an API key — the same key you use for the REST API — so there are no separate DNS credentials to manage.

  • Your domain is on NSIN and its records are managed here (NSIN is authoritative for the zone).
  • A non read-only API key. DNS-01 creates and deletes TXT records, so a read-only key will be rejected on the write. Create one at panel.nsin.ir → Settings → API Keys.

Download the plugin: dns_nsin.sh

Copy it into your acme.sh dnsapi/ directory (~/.acme.sh/dnsapi/), or use it in place if you have the acme.sh source checked out:

Terminal window
curl -o ~/.acme.sh/dnsapi/dns_nsin.sh https://nsin.ir/docs/dns_nsin.sh

Export your key once — acme.sh saves it to account.conf and reuses it on every renewal:

Terminal window
export NSIN_Api_Key="nsin_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
VariableRequiredDescription
NSIN_Api_KeyyesYour NSIN API key (starts with nsin_, not read-only).
NSIN_ApinoOverride the API base URL. Defaults to https://api.nsin.ir.
Terminal window
# Single hostname
acme.sh --issue --dns dns_nsin -d example.com -d www.example.com
# Wildcard (requires DNS-01)
acme.sh --issue --dns dns_nsin -d example.com -d '*.example.com'

acme.sh calls the plugin to add each _acme-challenge TXT record, waits for propagation, then removes the records after validation. Wildcard and apex challenges share the same name (_acme-challenge) with two different values — the plugin adds each as its own record and removes them individually, so both are handled correctly.

  • AddPOST /domains/{domain}/records/ with {"name":"_acme-challenge","type":"TXT","destination":"<value>"}.
  • Remove — lists records, finds the TXT whose value matches the challenge, and calls DELETE /domains/{domain}/records/{id}.

The plugin auto-detects the registrable zone by matching the challenge name against your account’s domain list, so subdomain certs (_acme-challenge.sub.example.com) work without extra configuration.

  • read-only API key / 403 — the key is read-only; create a new key with write access.
  • invalid domain — the domain isn’t in your NSIN account, or the key’s user doesn’t have access to it. Confirm it appears in GET /domains/.
  • Validation fails — DNS may not have propagated yet. Add --dnssleep 60 (or higher) so acme.sh waits before asking the CA to validate.
  • Run with --debug 2 to see the exact API requests and responses.