I am looking options to support alternate domains for the api endpoints when doing dns validation.
Let me explain.
I have a customer, they use unsupported vendor for DNS, but want to use letsencrypt wildcard certs, since a big win of letsencrypt is automation, using --manual each time isn’t an option, and neither is moving NS providers.
What we can do is add a CNAME to another zone which we can use any existing provider with a supported API, only downside is none of the dns providers in certbot (for example) support a different domain than the cert requested.
Process:
User runs certbot to setup the account, they specify their domain -d example.com -d *.example.com and have an existing CNAME of _acme-challenge.example.com IN CNAME acme-api.example.net
I want to add the TXT validation records to cname target acme-api.example.net instead of _acme-challenge.example.com
I’m thinking a command line option is all I would need, nsone for example.
not relevant, what if the customer refuses to provide api access to the dns system or the dns provider cannot scope api types to only TXT or only specific subdomains.
Yes, you can do it already, I wrote a post showing an example here,
Regarding the lack of DNS providers supported by certbot, you can always write your own script to talk to your DNS provider API or you could use lexicon, this tool supports a lot of DNS providers and @_az has a wonderful page that explains all the steps to use lexicon with certbot-auto, you just select the DNS provider and it creates all the commands, scripts for you ;).
I’ll take a look at acme.sh, I’m fully aware and understand how the txt validation and cname/dname’s work. I simply wanted a way to override the domain that is updated via the dns-api.
edit: the PR mentioned is exactly what I am looking for, thank you.