Logo

Command Palette

Search for a command to run...

Adding DNS providers

Overview

Adding and renewing wildcard SSL certificates relies on Cloud 66 having API access to your DNS provider. To set up a DNS provider, follow the instructions below.

If your provider is not listed, consider using RFC 2136 if your provider supports the protocol.

Instructions per DNS provider

Each DNS provider has specific credentials that need to be created and then added to your Cloud 66 account. Find your provider below for more details.

Azure

Azure DNS requires a service principal (a Microsoft Entra ID, formerly Azure AD, app registration) with permission to manage your DNS zone. Cloud 66 needs five values: your subscription ID, tenant ID, client ID, client secret, and resource group.

  1. In the Azure portal, go to Microsoft Entra ID → App registrations and register a new application. This creates a service principal.
  2. Open the application's Certificates & secrets and create a new client secret, then copy its value (it is shown only once).
  3. On the resource group that contains your DNS zone, open Access control (IAM) and assign your service principal the DNS Zone Contributor role.
  4. Collect your Subscription ID, Directory (tenant) ID, Application (client) ID, the client secret value, and the resource group name.

You can now add Azure DNS to your Cloud 66 account using these credentials (see above).

Cloudflare

Cloudflare requires an API token an API Key and the email address associated with your Cloudflare account in order to grant access to DNS management. You can generate a token using the Cloudflare web interface, and your key is listed on the same page:

  1. Log into your Cloudflare account
  2. Navigate to My Profile → API tokens
  3. Create a token with permissions over the required DNS zones (you can use the template they provide) - make sure you set the DNS permissions to Edit - and copy the resulting token
  4. View your Global API key (in the panel below your API tokens) and copy it
  5. Store both your API token and your API key somewhere safe

You can now add Cloudflare to your Cloud 66 account using these credentials (see above).

DigitalOcean

DigitalOcean requires an API token in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DigitalOcean account
  2. Navigate to Applications & API
  3. Click Generate New Token
  4. Ensure the token has both read and write permissions
  5. Copy the token and keep it somewhere safe

You can now add DigitalOcean to your Cloud 66 account using these credentials (see above).

DNSimple

DNSimple requires an API token in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DNSimple account
  2. Navigate to the account access token page
  3. Generate a new token
  4. Copy the token and keep it somewhere safe

You can now add DNSimple to your Cloud 66 account using these credentials (see above).

DnsMadeEasy

DnsMadeEasy requires an API key and Secret Key in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your DnsMadeEasy account
  2. Navigate to Config → Account Information
  3. Follow instructions on the page to generate API credentials
  4. Copy these keys and keep them somewhere safe

You can now add DnsMadeEasy to your Cloud 66 account using these credentials (see above).

Gehirn

Gehirn requires an API token and API secret in order to grant access to DNS management. You can generate them using their web interface:

  1. Log into your Gehirn account
  2. Create an API key pair (consult the documentation if you need help)
  3. Copy the credentials and keep them, somewhere safe

You can now add Gehirn to your Cloud 66 account using these credentials (see above).

Google

Google Cloud DNS requires a JSON formatted API key in file format. You can generate a key file using their web interface.

  1. Create a Service Account on your Google account
  2. Ensure this account has the minimum permissions required for DNS management (see below)
  3. Create an API key under your service account and download it in JSON format.

You can now add Google Cloud DNS to your Cloud 66 account by uploading the JSON file (see above).

Minimum required permissions for Google account:

  • dns.changes.create
  • dns.changes.get
  • dns.changes.list
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.resourceRecordSets.create
  • dns.resourceRecordSets.delete
  • dns.resourceRecordSets.list
  • dns.resourceRecordSets.update

Hetzner

Hetzner requires an API token in order to grant access to DNS management. Generate the token in the Hetzner Console, not the older DNS Console at dns.hetzner.com, which is being retired.

  1. Log into your Hetzner Console
  2. Open your project and select Security from the left menu
  3. Click API tokens in the top menu bar
  4. Click Generate API token, enter a description, and select Read & Write permissions
  5. Copy the token and store it somewhere safe. Hetzner only displays the token once.

You can now add Hetzner to your Cloud 66 account using this token (see above).

Linode

Linode requires an API key in order to grant access to DNS management. You can generate one using their web interface.

  1. Log into your Linode account
  2. Navigate to the API tokens interface
  3. Create an API key
  4. Copy the key and keep it somewhere safe

You can now add Linode to your Cloud 66 account using this key (see above).

luaDNS

LuaDNS requires an API key and an associated email address in order to grant access to DNS management. You can generate the key and associate it with an email using their web interface.

  1. Log into your luaDNS account
  2. Navigate to the account settings interface
  3. Create an API key associated with an appropriate email address
  4. Copy the API key and keep it somewhere safe

You can now add luaDNS to your Cloud 66 account using these credentials (see above).

NS1

NS1 requires an API key in order to grant access to DNS management. You can generate one using their web interface.

  1. Log into your NS1 account
  2. Navigate to account settings
  3. Create an API key with DNS management privileges
  4. Copy the API key and keep it somewhere safe

You can now add NS1 to your Cloud 66 account using this API key (see above).

OVH

OVH requires four credentials to grant DNS management access:

  • An Application Key
  • An Application Secret
  • A Consumer Key
  • An endpoint

You can obtain these credentials from the following links, depending on which OVH region you use:

Note that the endpoint values here are the ones used in the credentials above.

The API credentials must grant permissions to the following API endpoints:

  • GET /domain/zone/*
  • PUT /domain/zone/*
  • POST /domain/zone/*
  • DELETE /domain/zone/*

The configuration above allows access to all domains in the OVH account. If you’d prefer to restrict access to a single domain, use the following format:

  • GET /domain/zone/
  • GET /domain/zone/<REQUIRED_DOMAIN>/*
  • PUT /domain/zone/<REQUIRED_DOMAIN>/*
  • POST /domain/zone/<REQUIRED_DOMAIN>/*
  • DELETE /domain/zone/<REQUIRED_DOMAIN>/*

Once you have created the credentials, copy them and keep them somewhere safe.

You can now add OVH to your Cloud 66 account using these credentials (see above).

RFC2136

RFC 2136 is intended for use with DNS providers not otherwise supported by Cloud 66. Your provider needs to support RFC 2136, and ideally needs a good help document to walk you through the set up.

In order to add your RFC 2136 DNS to Cloud 66 you need to create an .ini file containing the credentials required by your provider. A typical file would look similar to this:

# Target DNS server (IPv4 or IPv6 address, not a hostname)
dns_rfc2136_server = 192.0.2.1
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = keyname.
# TSIG key secret
dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs AmKd7ak51vWKgSl12ib86oQRPkpDjg==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512

Your own provider may give the keys different names or require a different set of keys. Please be sure to follow their instructions carefully.

Once you have all the credentials, you can add RFC2136 to your Cloud 66 account by uploading your .ini file (see above).

Route53

Amazon Route 53 requires an API Access Key and a Secret Access Key for an AWS account with (at least) the following permissions:

  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets

You can assign permissions to the account using an IAM policy like the example below. You would need to replace the Hosted Zone ID for the example policy to work properly.

{
    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
            ]
        }
    ]
}

To generate access keys for an account using your preferred method (web console or CLI) by following this guide.

You can now add Route53 to your Cloud 66 account using these credentials (see above).

SakuraCloud

SakuraCloud requires an API Token and API Secret which can be obtained from their web interface:

  1. Log into your SakuraCloud account
  2. Navigate to the API key interface
  3. Create a key with the required DNS permissions
  4. Copy the API key and API secret and keep them somewhere safe

You can now add SakuraCloud to your Cloud 66 account using these credentials (see above).

TransIP

TransIP requires your account username, an API key, and a global key setting. The API key is the private key from a TransIP key pair, which you create in the control panel and upload to Cloud 66 as a file.

  1. Log into the TransIP control panel and go to My account → API
  2. Add a new key pair and give it a label (for example, cloud66)
  3. Decide how the key may be used, which sets the global key value in Cloud 66:
    • To let Cloud 66 connect from any IP, allow the key to be used from non-whitelisted IP addresses and set global key to yes (the default).
    • To keep the key restricted, set global key to no and whitelist the addresses Cloud 66 connects from (contact Cloud 66 support for these).
  4. Copy the private key TransIP shows after the key pair is created and save it to a file (it is shown only once).

When adding TransIP to your Cloud 66 account, enter your username and upload your private key file as the API key (see above).