Certbot / Letsencrypt Wildcard DNS with nsupdate hook

cert-production.sh

# This will issue a production (valid and trusted) certificate
certbot certonly --agree-tos --manual --preferred-challenge=dns --manual-auth-hook=./hook.sh --register-unsafely-without-email --manual-public-ip-logging-ok -d '*.example.com' -d 'example.com' --server https://acme-v02.api.letsencrypt.org/directory

cert-staging.sh

# This will issue a test certificate
certbot certonly --agree-tos --manual --preferred-challenge=dns --manual-auth-hook=./hook.sh --register-unsafely-without-email --manual-public-ip-logging-ok -d '*.example.com' -d 'example.com' --server https://acme-staging-v02.api.letsencrypt.org/directory

hook.sh

#!/bin/bash

DNS_SERVER='ns1.example.com'
DNS_ZONE='example.com'

if [ -z "$CERTBOT_DOMAIN" ]
then
        echo 'Empty $CERTBOT_DOMAIN provided'
        exit 1
fi

if [ -z "$CERTBOT_VALIDATION" ]
then
        echo 'Empty $CERTBOT_VALIDATION provided'
        exit 1
fi

HOST='_acme-challenge'

echo 'Domain: '"${CERTBOT_DOMAIN}"
echo 'Validation: '"${CERTBOT_VALIDATION}"
echo 'Sending to DNS server...'

nsupdate << EOM
server ${DNS_SERVER}
zone ${DNS_ZONE}
update delete ${HOST}.${CERTBOT_DOMAIN} A
update add ${HOST}.${CERTBOT_DOMAIN} 300 TXT "${CERTBOT_VALIDATION}"
send
EOM

echo 'Waiting 5 seconds...'
sleep 5
echo 'Record should be set, returning to Certbot'