I am looking options to support alternate domains for the api endpoints when doing dns validation.
Let me explain.
I have a customer, they use unsupported vendor for DNS, but want to use letsencrypt wildcard certs, since a big win of letsencrypt is automation, using --manual each time isn’t an option, and neither is moving NS providers.
What we can do is add a CNAME to another zone which we can use any existing provider with a supported API, only downside is none of the dns providers in certbot (for example) support a different domain than the cert requested.
User runs certbot to setup the account, they specify their domain
-d example.com -d *.example.com and have an existing CNAME of
_acme-challenge.example.com IN CNAME acme-api.example.net
I want to add the TXT validation records to cname target
acme-api.example.net instead of
I’m thinking a command line option is all I would need, nsone for example.
acme.sh - https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
certbot - https://github.com/certbot/certbot/pull/5350