Add edit DNS credentials feature for Let's Encrypt certificates

Allow updating DNS provider, credentials, and propagation seconds on
existing LE DNS certificates without triggering an immediate certbot
renewal or disabling any hosts. The updated credentials are used at the
next automatic or manual renewal.

Based on NginxProxyManager#5377 by Lokesh, simplified
to only persist credential changes (no immediate re-issuance).

Co-Authored-By: Lokesh <lokesh@katomaran.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

backend/internal/certificate.js

@@ -255,13 +255,35 @@ const internalCertificate = {
 			);
 		}
 
+		let patchPayload = data;
+
+		// Let's Encrypt DNS: allow updating dns_provider, dns_provider_credentials, propagation_seconds
+		const isLetsEncryptDns =
+			row.provider === "letsencrypt" &&
+			row.meta &&
+			row.meta.dns_challenge &&
+			data.meta &&
+			typeof data.meta === "object";
+
+		if (isLetsEncryptDns) {
+			const mergedMeta = { ...row.meta };
+			if (data.meta.dns_provider !== undefined) mergedMeta.dns_provider = data.meta.dns_provider;
+			if (data.meta.dns_provider_credentials !== undefined) {
+				mergedMeta.dns_provider_credentials = data.meta.dns_provider_credentials;
+			}
+			if (data.meta.propagation_seconds !== undefined) {
+				mergedMeta.propagation_seconds = data.meta.propagation_seconds;
+			}
+			patchPayload = { ...data, meta: mergedMeta };
+		}
+
 		const savedRow = await certificateModel
 			.query()
-			.patchAndFetchById(row.id, data)
+			.patchAndFetchById(row.id, patchPayload)
 			.then(utils.omitRow(omissions()));
 
 		savedRow.meta = internalCertificate.cleanMeta(savedRow.meta);
-		data.meta = internalCertificate.cleanMeta(data.meta);
+		patchPayload.meta = internalCertificate.cleanMeta(patchPayload.meta);
 
 		// Add row.nice_name for custom certs
 		if (savedRow.provider === "other") {

backend/routes/nginx/certificates.js

@@ -241,10 +241,33 @@ router
 		}
 	})
 
+	/**
+	 * PUT /api/nginx/certificates/123
+	 *
+	 * Update an existing certificate (e.g. DNS provider credentials for Let's Encrypt)
+	 */
+	.put(async (req, res, next) => {
+		try {
+			const certificateId = Number.parseInt(req.params.certificate_id, 10);
+			const payload = await apiValidator(
+				getValidationSchema("/nginx/certificates/{certID}", "put"),
+				req.body,
+			);
+			const result = await internalCertificate.update(res.locals.access, {
+				id: certificateId,
+				meta: payload.meta,
+			});
+			res.status(200).send(result);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
 	/**
 	 * DELETE /api/nginx/certificates/123
 	 *
-	 * Update and existing certificate
+	 * Delete a certificate
 	 */
 	.delete(async (req, res, next) => {
 		try {

backend/schema/paths/nginx/certificates/certID/put.json

@@ -0,0 +1,67 @@
+{
+	"operationId": "updateCertificate",
+	"summary": "Update a Certificate (e.g. DNS provider credentials for Let's Encrypt)",
+	"tags": ["certificates"],
+	"security": [
+		{
+			"bearerAuth": ["certificates.manage"]
+		}
+	],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "certID",
+			"description": "Certificate ID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"example": 1
+		}
+	],
+	"requestBody": {
+		"description": "Certificate update payload",
+		"required": true,
+		"content": {
+			"application/json": {
+				"schema": {
+					"type": "object",
+					"required": ["meta"],
+					"additionalProperties": false,
+					"properties": {
+						"meta": {
+							"type": "object",
+							"additionalProperties": false,
+							"minProperties": 1,
+							"properties": {
+								"dns_provider": {
+									"type": "string"
+								},
+								"dns_provider_credentials": {
+									"type": "string"
+								},
+								"propagation_seconds": {
+									"type": "integer",
+									"minimum": 0
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	},
+	"responses": {
+		"200": {
+			"description": "200 response",
+			"content": {
+				"application/json": {
+					"schema": {
+						"$ref": "../../../../components/certificate-object.json"
+					}
+				}
+			}
+		}
+	}
+}

backend/schema/swagger.json

@@ -127,6 +127,9 @@
 			"get": {
 				"$ref": "./paths/nginx/certificates/certID/get.json"
 			},
+			"put": {
+				"$ref": "./paths/nginx/certificates/certID/put.json"
+			},
 			"delete": {
 				"$ref": "./paths/nginx/certificates/certID/delete.json"
 			}

frontend/src/api/backend/index.ts

@@ -51,6 +51,7 @@ export * from "./toggleRedirectionHost";
 export * from "./toggleStream";
 export * from "./toggleUser";
 export * from "./updateAccessList";
+export * from "./updateCertificate";
 export * from "./updateAuth";
 export * from "./updateDeadHost";
 export * from "./updateProxyHost";

frontend/src/api/backend/updateCertificate.ts

@@ -0,0 +1,20 @@
+import * as api from "./base";
+import type { Certificate } from "./models";
+
+export interface UpdateCertificatePayload {
+	meta: {
+		dnsProvider?: string;
+		dnsProviderCredentials?: string;
+		propagationSeconds?: number;
+	};
+}
+
+export async function updateCertificate(
+	id: number,
+	payload: UpdateCertificatePayload,
+): Promise<Certificate> {
+	return await api.put({
+		url: `/nginx/certificates/${id}`,
+		data: payload,
+	});
+}

frontend/src/components/Form/DNSProviderFields.tsx

@@ -1,7 +1,7 @@
 import { IconAlertTriangle } from "@tabler/icons-react";
 import CodeEditor from "@uiw/react-textarea-code-editor";
 import { Field, useFormikContext } from "formik";
-import { useState } from "react";
+import { useEffect, useState } from "react";
 import Select, { type ActionMeta } from "react-select";
 import type { DNSProvider } from "src/api/backend";
 import { useDnsProviders } from "src/hooks";
@@ -16,8 +16,10 @@ interface DNSProviderOption {
 
 interface Props {
 	showBoundaryBox?: boolean;
+	/** When true (edit mode), credentials field is for new credentials only; existing credentials are never displayed */
+	editMode?: boolean;
 }
-export function DNSProviderFields({ showBoundaryBox = false }: Props) {
+export function DNSProviderFields({ showBoundaryBox = false, editMode = false }: Props) {
 	const { values, setFieldValue } = useFormikContext();
 	const { data: dnsProviders, isLoading } = useDnsProviders();
 	const [dnsProviderId, setDnsProviderId] = useState<string | null>(null);
@@ -37,6 +39,16 @@ export function DNSProviderFields({ showBoundaryBox = false }: Props) {
 			credentials: p.credentials,
 		})) || [];
 
+	const selectedOption = options.find((o) => o.value === v.meta?.dnsProvider) ?? null;
+	const showCredentials = dnsProviderId ?? v.meta?.dnsProvider;
+
+	// When a provider is selected and credentials are empty, use the template from dns-plugins.json
+	useEffect(() => {
+		if (selectedOption && (v.meta?.dnsProviderCredentials ?? "") === "") {
+			setFieldValue("meta.dnsProviderCredentials", selectedOption.credentials);
+		}
+	}, [selectedOption, selectedOption?.credentials, v.meta?.dnsProviderCredentials, setFieldValue]);
+
 	return (
 		<div className={showBoundaryBox ? styles.dnsChallengeWarning : undefined}>
 			<p className="text-warning">
@@ -60,20 +72,21 @@ export function DNSProviderFields({ showBoundaryBox = false }: Props) {
 							placeholder={intl.formatMessage({ id: "certificates.dns.provider.placeholder" })}
 							isLoading={isLoading}
 							isSearchable
+							value={selectedOption}
 							onChange={handleChange}
 							options={options}
 						/>
 					</div>
 				)}
 			</Field>
 
-			{dnsProviderId ? (
+			{showCredentials ? (
 				<>
 					<Field name="meta.dnsProviderCredentials">
 						{({ field }: any) => (
 							<div className="mt-3">
 								<label htmlFor="dnsProviderCredentials" className="form-label">
-									<T id="certificates.dns.credentials" />
+									<T id={editMode ? "certificates.dns.credentials-update" : "certificates.dns.credentials"} />
 								</label>
 								<CodeEditor
 									language="bash"

frontend/src/locale/src/bg.json

@@ -125,6 +125,9 @@
 	"certificates.dns.credentials": {
 		"defaultMessage": "Съдържание на файл с удостоверения"
 	},
+	"certificates.dns.credentials-update": {
+		"defaultMessage": "New Credentials File Content"
+	},
 	"certificates.dns.credentials-note": {
 		"defaultMessage": "Този плъгин изисква конфигурационен файл с API токен или други идентификационни данни."
 	},
@@ -146,6 +149,9 @@
 	"certificates.dns.warning": {
 		"defaultMessage": "Този раздел изисква познания за Certbot и неговите DNS плъгини. Моля, консултирайте се с документацията."
 	},
+	"certificates.edit-dns-settings": {
+		"defaultMessage": "Edit DNS Settings"
+	},
 	"certificates.http.reachability-404": {
 		"defaultMessage": "Сървър е намерен на този домейн, но не изглежда да е Nginx Proxy Manager. Уверете се, че домейнът сочи към IP адреса, където работи NPM."
 	},

frontend/src/locale/src/cs.json

@@ -182,6 +182,9 @@
 	"certificates.dns.credentials": {
 		"defaultMessage": "Obsah souboru s přihlašovacími údaji"
 	},
+	"certificates.dns.credentials-update": {
+		"defaultMessage": "New Credentials File Content"
+	},
 	"certificates.dns.credentials-note": {
 		"defaultMessage": "Tento doplněk vyžaduje konfigurační soubor obsahující API token nebo jiné přihlašovací údaje vašeho poskytovatele"
 	},
@@ -203,6 +206,9 @@
 	"certificates.dns.warning": {
 		"defaultMessage": "Tato sekce vyžaduje znalost Certbotu a jeho DNS doplňků. Prosím, podívejte se do dokumentace příslušného doplňku."
 	},
+	"certificates.edit-dns-settings": {
+		"defaultMessage": "Edit DNS Settings"
+	},
 	"certificates.http.reachability-404": {
 		"defaultMessage": "Na této doméně byl nalezen server, ale nezdá se, že jde o Nginx Proxy Manager. Ujistěte se, že vaše doména směřuje na IP, kde běží vaše instance NPM."
 	},

frontend/src/locale/src/de.json

@@ -113,6 +113,9 @@
 	"certificates.dns.credentials": {
 		"defaultMessage": "Inhalt der Anmeldedaten-Datei"
 	},
+	"certificates.dns.credentials-update": {
+		"defaultMessage": "New Credentials File Content"
+	},
 	"certificates.dns.credentials-note": {
 		"defaultMessage": "Dieses Plugin erfordert eine Konfigurationsdatei, die einen API-Token oder andere Anmeldedaten für Ihren Anbieter enthält."
 	},
@@ -131,6 +134,9 @@
 	"certificates.dns.warning": {
 		"defaultMessage": "Dieser Abschnitt erfordert einige Kenntnisse über Certbot und seine DNS-Plugins. Bitte konsultieren Sie die jeweilige Plugin-Dokumentation."
 	},
+	"certificates.edit-dns-settings": {
+		"defaultMessage": "Edit DNS Settings"
+	},
 	"certificates.http.reachability-404": {
 		"defaultMessage": "Unter dieser Domain wurde ein Server gefunden, aber es scheint sich nicht um Nginx Proxy Manager zu handeln. Bitte stellen Sie sicher, dass Ihre Domain auf die IP-Adresse verweist, unter der Ihre NPM-Instanz ausgeführt wird."
 	},