I am trying to analyze Certbot renewal files, and trying to wrap my head around the likelihood of mixed dns-01 and http-01 challenges.
It looks like Certbot doesn't support specifying the challenge for a certificate by domain on the commandline or storage file. I thought there might be some ways to trick Certbot into handling this through plugins, but I haven't found any major plugins that are doing this.
Can someone confirm the above, or point me in the direction of any tools that are doing this?
I am hoping Certbot does not support this, because that would make today a lot simpler!
[[webroot-map]] wouldn't exsit if renewalconfig allowed setting authenticator per domain, (it would be [[authenticator-map]]) I don't think they allow setting authenticator per domain.
Thanks. I had noticed something like that in the code. I think it is theoretically possible within the design to have the authenticators decide which challenge to use themselves -- but I haven't found any that do that (or that implement the plugin storage backend to save information that could do that).
My current understanding is that seeing 'dns-01' in the renewal config will mean that everything uses dns-01 challenge (even though it's a list of strings, so ["dns-01", "http-01"] is a possible entry.
The common advice in this case was to (ab)use the cached authorizations and perform them one at a time. It does rely on Let's Encrypt implementation details (do other CAs even cache authorizations? How long do they cache them?)
Yes, I was just concerned if it was technically possible to somehow configure Certbot to handle this. I am finalizing a tool to import certbot renewal configurations.
This significantly drops the complexity of what I'm doing!
