I am testing to use certbot with dns-digitalocean plugin. Since my primary DNS does not support dynamic DNS update, I set up a subdomain digitalocean-ns.example.com and delegate this subdomain to digitalocean. Then I set up a _acme-challenge.test.example.com CNAME record to _acme-challenge.test.digitalocean-ns.example.com
Now the problem is, how can I tell dns-digitalocean plugin to update _acme-challenge.test.digitalocean-ns.example.com.instead of _acme-challenge.test.example.com? Or I have to use cloudflare (certbot-dns-cloudflare-cname) instead? I chose digitalocean just because I have an existing account there, and feel lazy to create a new cloudflare account.
This is a real pain for me, because I have a existing centralized certbot installation that already issued a lot of certificates and have all sort of custom dns authorization hook and deploy scripts to remotely deploying the certificates to the servers.
FYI, since this installation is done in the infancy of DNS-01, there was not really good acme agent support and I had to write my own dns hook to interact with my own powerdns. I want to switch to digitalocean (or whatsever) and retire my powerdns (and the associated dns hooks) for maintainability. If I have to change acme agent, I would have to rewrite all my server script deployment scripts.
In this case I would rather try the unofficial plugin certbot-dns-cloudflare-cname instead. I want to keep my existing certbot cert issuance config. However I would need to upgrade the certbot server first. This server is running on ubuntu 18.04 and only offers python 3.6, which does not meet certbot-dns-cloudflare-cname minimum requirement
The actual code for certbot-dns-digitalocean is pretty small (it mostly relies on an external Python library implementation of the DigitalOcean API).
It would probably be possible to just change the _compute_record_name function at the very end in order to do what you want. Or, if it's too much of a nuisance to change this in the context of a version of the certbot-dns-digitalocean package, copy this file outside of that context entirely, make that change, and then wrap the invocation of that Python script with an auth-hook script.
Not that simple. It already failed at the beginning: _find_domain threw error message "Unable to determine base domain" before actually going through _compute_record_name. We need to resolve the CNAME first before actually executing this plugin. Although it is possible to handle in plugin, this should be certbot's duty instead.
Also for security reason, it is better to separate certbot to only access the CNAME delegated zone dedicated for _acme-challenge, instead of full zone. DigitalOcean API cannot limit the API key scope. Having the API key will allow the program to access all resources in the project.