diff --git a/client/Makefile.am b/client/Makefile.am
index 9a3bc9d1e..0031c04a5 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -47,6 +47,11 @@ sbin_SCRIPTS =			\
 	ipa-epn                 \
 	$(NULL)
 
+appdir = $(libexecdir)/ipa/acme
+nodist_app_SCRIPTS =		\
+	certbot-dns-ipa		\
+	$(NULL)
+
 ipa_getkeytab_SOURCES =		\
 	ipa-getkeytab.c		\
 	ipa-client-common.c	\
@@ -111,6 +116,7 @@ EXTRA_DIST =			\
 	ipa-client-install.in	\
 	ipa-client-samba.in	\
 	ipa-epn.in              \
+	certbot-dns-ipa.in      \
 	$(NULL)
 
 install-data-hook:
@@ -119,6 +125,9 @@ install-data-hook:
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/sysrestore
 
 
-PYTHON_SHEBANG = $(sbin_SCRIPTS)
+PYTHON_SHEBANG = \
+	$(sbin_SCRIPTS) \
+	$(nodist_app_SCRIPTS) \
+	$(NULL)
 
 include $(top_srcdir)/Makefile.pythonscripts.am
diff --git a/client/certbot-dns-ipa.in b/client/certbot-dns-ipa.in
new file mode 100755
index 000000000..65ab4f73a
--- /dev/null
+++ b/client/certbot-dns-ipa.in
@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+#
+# Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+#
+
+"""
+This script can be used with Certbot to satisfy dns-01 challenges.
+FreeIPA integrated DNS is required.
+
+This script can be used for both --manual-auth-hook and
+--manual-cleanup-hook.  It not intended to be used in other
+contexts.
+
+Kerberos credentials are required.  The principal must have
+permission to add and delete DNS records via the dnsrecord_add and
+dnsrecord_del commands.
+
+"""
+
+import os
+import sys
+
+from dns import resolver
+from ipalib import api, errors
+from ipapython import dnsutil
+
+try:
+    certbot_domain = os.environ['CERTBOT_DOMAIN']
+    certbot_validation = os.environ['CERTBOT_VALIDATION']
+except KeyError:
+    sys.exit("Missing Certbot environment variables.")
+
+if 'CERTBOT_AUTH_OUTPUT' in os.environ:
+    command = 'dnsrecord_del'
+else:
+    command = 'dnsrecord_add'
+
+validation_domain = f'_acme-challenge.{certbot_domain}'
+fqdn = dnsutil.DNSName(validation_domain).make_absolute()
+zone = dnsutil.DNSName(resolver.zone_for_name(fqdn))
+name = fqdn.relativize(zone)
+
+try:
+    api.bootstrap(context='cli')
+    api.finalize()
+    api.Backend.rpcclient.connect()
+except errors.CCacheError as e:
+    sys.exit(e)
+
+api.Command[command](zone, name, txtrecord=[certbot_validation], dnsttl=60)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 74e026a4a..b11a5225c 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1197,7 +1197,6 @@ fi
 %{_sbindir}/ipa-acme-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
-%dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
@@ -1408,6 +1407,8 @@ fi
 %{_mandir}/man1/ipa-client-automount.1*
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
+%dir %{_libexecdir}/ipa/acme
+%{_libexecdir}/ipa/acme/certbot-dns-ipa
 
 %files client-samba
 %doc README.md Contributors.txt
@@ -1490,6 +1491,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{_usr}/share/ipa
+%dir %{_libexecdir}/ipa
 
 
 %files -n python3-ipalib