Automate renewal of let's encrypt ACME-DNS challenge with unbound

I changed from a certificate with multiple explicitly defined subdomains to a wildcard certificate. For this to work, the DNS-01 challenge needs to be solved. I have a very basic unbound DNS server running (authoritative). The unbound server is on the same machine where certbot and an nginx webserver resides.

With the following command I could successfully create and authorize a wildcard certificate, but I had to manually create the TXT record in the DNS server:

sudo certbot certonly --manual --preferred-challenges dns --email [email protected] --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com -d example.com -v

My goal is to fully automate the renewal process of this certificate. The "certbot renew" command should automatically create the TXT record with the challenge token as content in my previously setup unbound DNS server.

What do I need to do in order to achieve this?

This stackexchange answer provides very detailed information for this situation that I think is a perfect fit.

What you actually need is to automate the creation of DNS entries in the DNS server "programatically" by means of a bash/shell script, in a process that in general goes like this:

1. Request a new certificate via certbot
2. Capture the requested TXT records from the output
3. Create the records in the DNS server through the script
4. Use certbot again after access to the TXT records has been confirmed to have propagated through the Internet.

What you need to do after reading this is confirm whether or not your DNS server provides some kind of API or method to create the entries by a remote request. This is essential.