TL;DR: is there any way how to redirect all ACME requests for subdomains of a domain (e.g. "system1.internal.example.org", "system2.internal.example.org") to a specific instance of a"acme-dns" server without creating corresponding DNS CNAME entries for each of those subdomains in the main DNS server?
I'd like to use dns-01 for the creation of certificates that are to be used by my internal systems. All of them are reachable via FQDN ("system1.internal.example.org", "system2.internal.example.org", ...), but only from behind a firewall.
So far I only use dns-01 for a few publicly accessible systems (
public2.example.org - port 80 is blocked on those systems, thus no http-01).
I installed the joohoi acme-dns on a separate system (hostname
acme.example.org), then - on the main DNS server - added a nameserver delegation (
acme.example.org 3600 IN NS acme.example.org, of course with corresponding glue record) and created the respective CNAME entries to delegate the _acme-challenge subdomains to my account on the acme-dns server (e.g.
_acme-challenge.public1.example.org CNAME a3288a17-e28b-485e-3f4b-e48e3b4e0714.acme.example.org)
This setup works flawlessly, but as I said, I created a CNAME record for each system which I wanted to provide with certificates.
If I took the same approach for our internal systems I would need to pollute the main DNS server with another 20+ entries and I've got the feeling I am missing something here.
As I'm writing this, it just pops into my head if maybe I can delegate the entire internal zone (internal.example.org) to the acme-dns server? Would that work? After all, I have no other connections from the outside except for the ACME accesses.