I'm trying to set up certbot to get & renew certificates for a subdomain of my organization, whose domain is managed by Route53, in a partner's server which doesn't have HTTPs exposed to the public internet (our webapp is going to be accessed from within the partner's VPN only).
I'm planning to use Let's Encrypt's DNS-based authentication method to automate the certificate's renewal. Since the server is shared with our partners, I'm planning to use an AWS' key that's policy-limited to only deal with this specific subdomain - in the event of the credentials getting leaked, I want them to only be useful for renewing this specific domain, and nothing else.
Is there any particular reason not to support telling certbot the specific Hosted Zone ID via configuration in order to relax the
I may try to attempt a pull request to add that feature, but I want to first make sure that it's OK with the community/maintainers.