My query does not really fall in the constraints of the standards questions, I hope maybe someone can provide some guidance.
My use-case is this, with the desire for certificate agility I'm looking at whether ACME can provide the solution. Specifically we have a WiFi Ctrl managing a customers WiFi, as part of this we host a guest-wifi captive-portal secured off a public certificate thus guest trust the presented web-site. Today a customer's admin will manually update those captive-portal certificates, I want to automate this process, but a customer would not open inbound connectivity to the WiFi Ctrl to inbound traffic coming from the internet, due to the concerns of exposing some access to the WiFi Ctrl. So I was wondering if with the many options available to use LetsEncrypt there is somewhere a plausible solution where a customer who owns maybe www.example.com/guest_access can automate the renew of the cert for their captive-portal?
Thank you for taking the time to read this and provide your input.
You need to use the DNS-01 authentication challenge for this. Instead of answering a secret challenge via a web request with the HTTP-01 challenge, you will use the public DNS records to handle this.
The best practice for this is to use a CNAME record to delegate the _acme-challenge record to a secondary DNS system that only handles DNS-01 challenges. There is an open source project acme-dns that can be used to securely manage these DNS records.
Following up on this, since you are whitelabeling this...
You would likely want your customers to CNAME onto either a pre-assigned domain name (e.g. foo.example.com) or something that can be predicted by an algorithm (e.g. {client_domain}-{tld}.example.com). With acme-dns you would then generate a bunch of accounts - which use UUIDs - then edit the database to use your preferred namng. I believe this script I wrote a while back still works with the current version of acme-dns (i have not updated my installation, so i still use a variant of this script myself):
You can, of course, delegate to a commercial DNS provider or a DNS system you control. The acme-dns system is very nice because it exposes a simple HTTPS API for manipulating these records. I find this much easier than setting up an isolated account with a vendor or dealing with the hassles of a normal DNS system.
Thx @Bruce5051, correct the cap-portal certs are 99.9% just a simple DV TLS cert, this is never the issue, the challenge here specifically is the procedure to try and automate the renewal and domain-validation, I think what I see below from @jvanasco might be the answer I was looking for.
Thx @jvanasco just for additional clarity, this would be 1000% handled by the end-customer, we're not and don't want to be involved with the creation/renew of certs and their underlying fqdn for the cap-portal.
They should still use a delegation to a dedicated DNS system for this. Regular acme-dns will work for them, as will an isolated account with commercial vendors.
An overview of properly securing the DNS challenge was written by the acme-dns author here, but this overview and concept applies to all DNS challenge systems:
