I’m in the midst of designing the dns validation portion of my Let’s Encrypt deployment (previous threads I have indicated this is a large deployment across hundreds of systems). I’ve already researched several methods of validation as noted here. As I’m required to use AWS Route53, AWS still does not allow you to have an IAM policy that controls the type of DNS record (TXT); the only option I seem to have is to create a subdelegate zone, and point NS records towards the new zone, and then point the “_acme-challenge” validation subdomains to them using the CNAME records.
With that said, it seems I would have to do the following:
- Let’s say I have an existing domain for .foo.com in Route53 (where this is the domain I will be using to generate x509 certificates for e.g. test.foo.com, test1.foo.com, and so on).
- I believe I have to create a sub-delegate zone within this domain as my validation domain. Let’s call it “acme.foo.com”.
- I then have to point the new sub-delegate zone (acme.foo.com) to foo.com with the ns records etc.
- New “_acme-challenge” validation subdomains will use “acme.foo.com” sub-delegate zone, as such for a new certificate performing validation it will have foo_acme-challenge.acme.foo.com via CNAMES.
My questions are as follows:
- Is this the correct setup?
- Is this baked into the route53 plugin?
- How can I force the route53 plugin to use the new sub-delegate zone so it’s not using the domain of the common name of the certificate?