By erel
I use Let’s Encrypt and run certbot for automatic renewal. I get an error saying that certbot needs a Digital Ocean token. But when I try to add a token with custom permissions, there are many different options (“scopes”). I can just mark all scopes, but I want to give only the minimal scopes needed.
What scopes should I choose, when creating a new token, so that certbot can work?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya, @erel
If you’re using certbot with the DigitalOcean DNS plugin, the token only needs read + write access to Domains (DNS). That’s it — certbot creates and deletes the temporary _acme-challenge TXT records during validation.
You don’t need Droplets, Volumes, Firewalls, or anything else. In the API token screen on DigitalOcean, just enable Domains → Read + Write. This works for DNS-01 challenges with Let’s Encrypt and keeps the token properly locked down.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.