- Behind-the-scenes management of all the acme-dns credentials
- Management of multiple sets of credentials (thereby allowing me to get multiple certs using acme-dns).
- The acme-dns credentials are stored in
.acme.sh/account.conf, which makes me believe it can only handle one set of credentials. If that's correct, it means that a given acme.sh installation can only issue certs for a single FQDN using acme-dns--no multi-SAN certs, and really only a single cert. If that's not correct, the docs are badly in need of an update--which they are in any event.
acme-dns, I must obtain a set of credentials (
curl -s -X POST https://auth.acme-dns.io/register | python -m json.tool), create the appropriate CNAME record, export the credentials into the appropriate environment variables, and then call
acme.sh. Lots of manual work, and as noted above, it can only handle one FQDN per acme.sh installation.
By contrast, with certbot and @joohoi's hook script, I call certbot and tell it to use that script. The script checks the requested domain(s) against the credentials issued previously; if it/they already exist, it's assumed the CNAME records are present, loads the relevant credentials, and goes to town--all without user interaction. If it doesn't have a set of credentials matching one or more domains, it obtains them, stores them, and prompts you to create the appropriate CNAME record(s). Creating the CNAME is the only user interaction needed with acme-dns in this case. Multiple certs, multi-SAN certs, wildcards, are all handled easily.