Managing multi-registrar DNS DCVs with TBSCertBot

You want to entrust the management of your multi-site certificates to TBSCertBot, but they include site names sometimes managed by several registrars?

In this case, how does DCV validation work via DNS configuration? Is TBSCertBot capable of handling multiple SANs from different registrars in a single command?

Can multiple SANs from different registrars be managed in the same order?

yes.TBSCertBot can fully and automatically manage DCV DNS challenges for multiple SANs even if they are managed by different registrars.

How does it work?

When you place a certificate order that includes multiple SANs, TBSCertBot processes each domain in the list individually.

Automatic detection of the registrar(s)

Initially, TBSCertBot analyzes each site name (SAN) of the certificate.

It then dynamically determines the registrar corresponding to each identified domain and configures the PHP_TBS_REGISTRAR environment variable accordingly. For example:

PHP_TBS_REGISTRAR=OVH

or

PHP_TBS_REGISTRAR=GANDI

or any other supported registrar.

This variable allows the DCV hook to identify the registrar and therefore the DCV script to use for creating the DNS record.

DCV hook call

Once the registrar is detected, TBSCertBot calls your DCV hook. We recommend using a routing script (see exportDCVScript) that:

• reads the PHP_TBS_REGISTRAR variable
  
  
• automatically directs to the registrar-specific script (e.g., dns-ovh.sh, dns-gandi.sh)
  
  

The script then creates the DNS record for the domain being processed.

Useful links

• Setting up hook for DCV DNS in TBSCertBot
• Automate your certificate orders and renewals using TBSCertBot
• Easily manage your certificates with TBSCertBot
• TBSCertBot - The Quick Start Guide