DNS-PERSIST-01 Challenge

This guide explains how to get and renew a certificate with the DNS-PERSIST-01 challenge.

{{% notice note %}}

• The RFC is still a draft.
• This is currently not available in most CA production. {{% /notice %}}

{{% notice important %}} This challenge could be less secure than [DNS-01]({{% ref "obtain/dns01" %}}) due to its requirements.

This is especially true if your DNS provider does not offer any way to limit the access controls to the specific persistent record required by the DNS-PERSIST-01 challenge.

• 7. Security Considerations
• 9.5. DNS Provider Considerations

The security of this challenge relies primarily on protecting your account's private key.

{{% /notice %}}

{{< tabs groupid="usage-examples" >}} {{% tab title="Classic Way" %}}

Execute the following command:

lego run -d 'example.com' --dns-persist

{{% /tab %}} {{% tab title="With a Configuration File" %}}

Create a .lego.yml file with the following content:

certificates:
  foo:
    challenge: dns-persist-01
    domains:
      - example.com

And execute:

lego

{{% /tab %}} {{< /tabs >}}