we have a production system within a vpn and would like to secure it by cert, and, i would like to avoid doing this by a self-signed cert.
Discussions i found was Webserver behind Firewall via vpn. But, all i understand from the docs is that you can doing a manual certificate setup, by a txt-record like _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM", but then you loose the auto-renewal function.
What i am not understanding is:
Why it is not possible to simply setup a dns-entry like _acme-challenge.example.com that would be accessible from outside and THIS i can configure to point to anything like /.well-known/acme-challenge/ where certbot could places its keys and would doing the auto-renewal while example.com is not available from outside?
You can automate the DNS-01 challenge. What you cannot automate is a manual challenge. Make sure that you use a DNS provider with API access and a plugin for your ACME client. Depending on how quickly the challenge record populates, you may need to pause before checking.
Yes, a DNS Challenge probably suits your situation better than an HTTP Challenge. If your public DNS supports an API to add/delete TXT records then you can automate that (many do). The ACME Client you choose would also have to support that API. You can also delegate this and use a different DNS system or even something like acme-dns (gihub here).
It doesn't make too much sense to allow one single FQDN to represent an entire domain - when the authentication method is going to be HTTP.
If the authentication method is DNS, then one clearly has control of the domain.
Whereas, when one has control of a single FQDN/IP, it doesn't imply full control of the domain.