I moved domain registrars to Porkbun recently. I didn’t have anything particularly against my previous registrar, but Porkbun is based here in Cascadia, they seem like nice folks who run a tight ship, and they don’t take themselves too seriously.

Since they include API manageable DNS service as part of your domain registration, I also moved DNS for my domains to Porkbun. That was easy peasy, as I automated my DNS with DNSControl years ago. Moving DNS providers is just a few config changes and a CI/CD run now.

The one bit that took a bit of work was putting together a new helper script for TrueNAS to create and delete the ACME DNS-01 TXT records. TrueNAS only directly supports CloudFlare, Route 53, and OVH in the WebUI, For any other DNS provider, you need to make a shell script to manage the DNS entries. The heavy lifting here is being done by porkbun-api-bash.

Install and Config

Make a dataset

I made a dataset in my ZFS pool to hold this tooling. Probably overkill but it keeps everything in one place and it’s very clear what files are required and should be backed up. I called it acmeScript and thus it is mounted at /mnt/myZPool/acmeScript.

Owner: admin
Group: ssl-cert

Unix Perms:
user: Read | Write | Execute
group: Read | Write | Execute
other: None

Install scripts and config

We’re treating the acmeScript dataset like a home directory for this task. Everything is going live in here. The assumption here is that you’re doing this install from an SSH shell.

# Set this to your AcmeScript dir
ACMEDIR=/mnt/myZPool/acmeScript
mkdir -p ${ACMEDIR}/.local/bin

# Get porkbun-api
curl -#o ${ACMEDIR}/.local/bin/porkbun-api https://raw.githubusercontent.com/corey-braun/porkbun-api-bash/refs/heads/main/porkbun-api
chmod 755 ${ACMEDIR}/.local/bin/porkbun-api

# Get sample .porkbun-apirc config file
curl -#o ${ACMEDIR}/.porkbun-apirc https://raw.githubusercontent.com/corey-braun/porkbun-api-bash/refs/heads/main/.porkbun-apirc
chmod 600 ${ACMEDIR}/.porkbun-apirc

# Get Porkbun DNS-01 helper script from my Gist
curl -#o ${ACMEDIR}/porkbun-dns-01.sh https://gist.githubusercontent.com/ducksauz/1fe639d9eeeec021d75d3887cf85a5ec/raw/e814a748068efa78649a47c879d725d03ed9a720/porkbun-dns-01.sh

# set ownership properly
sudo chown -R admin:ssl-cert ${ACMEDIR}

Edit ${ACMEDIR}/.porkbun-apirc and set your domain, API key, and secret key.

# Required variables
DOMAIN=  # The domain name for the script to act on. Can also be set by flag '-d <domain>'.
APIKEY=  # Your Porkbun API Key
SECRETKEY=  # Your Porkbun API Secret Key

Configure TrueNAS to use the helper

Back in the TrueNAS web UI, navigate to Credentials -> Certificates and add an ACME DNS-Authentication entry.

Name: porkbun
Authenticator: shell
Authenticator Script: /mnt/myZPool/acmeScript/porkbun-dns-01.sh
Running User: admin
Timeout: 60
Propagation Delay: 30

Test it out

Now you should be able to submit a cert request using Porkbun to complete the DNS authentication. If you want to follow along while the request is happening you can tail -f /var/log/syslog | grep porkbun-dns-01 to ensure it’s working as expected.