The subdomain I’m trying to create a certificate for is for internal use only. It’s not in the public DNS, only local. I want to authenticate by placing a file on the primary domain, but I don’t see an option for that and can’t find documentation about it.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I believe that in this case the only possibility is to use DNS-01 challenge type - this is because proving control over webserver at example.com does not mean that you should be able to get certificate for verysecure.example.com. Proving control over DNS is considered a "stronger" form of validation.
Other option would to use some split-horizon configuration, where in external version of DNS zone you point your internal to webserver of your primary domain and in internal DNS zone you keep it pointed to some internal address.
Thank you. I wasn’t aware that controlling the entire domain is not enough proof of control over the subdomain. Uploading a file there would have been easier, but I can work with the DNS-01 challenge and I see how it’s a better authentication.