I’m using the letsencrypt.sh challenge with a hook script that I’ve written myself to implement DNS challenges using the following steps:
- Get challenge token (letsencrypt.sh)
- Upload DNS data (bash script which rsyncs the data to my authoritative DNS provider).
- Poll the domain’s authoritative nameservers directly (i.e. ignore my local resolver) until they all respond with the correct challenge (my hook script).
- Allow LetsEncrypt’s server to check the challenge (letsencrypt.sh - once my hook script returns control to it).
One potential problem I see with this is that the LetsEncrypt servers might have a cached response for the DNS lookup (TXT _acme-challenge.example.org), and so when the challenge is checked it won’t match what LE expects. Is there any way to work around this - or do the LE servers always do a fresh (i.e. ignoring any resolver cache) lookup for the challenge? I always use a low (120 seconds) TTL for the TXT challenge records.