Let’s Encrypt wildcards do require updating TXT records, so that’s going to be a little more complex.
There is a way that you can still do it without requiring ongoing efforts from the customers for each renewal. It’s a one-time step for the customer to delegate this authority to you. But it will slightly complicate the customer’s initial setup process. Nonetheless, you can easily check whether the process has been completed correctly and provide support for customers as they set this up.
The way to do this is to have the customers set an additional CNAME for
_acme-challenge.example.com to point to some other record (which doesn’t specifically have to be called
_acme-challenge) inside a DNS zone that you control. The validation process will also follow that CNAME, and this should also be allowed for wildcard issuance. So you can update the target TXT record in your own DNS zone, instead of updating any records in the customer’s DNS zone.
mydomain.com examples, you could use
subdomain.theirdomain.com. IN CNAME mydomain.com.
_acme-challenge.subdomain.theirdomain.com. IN CNAME _acme-challenge.theirdomain.mydomain.com.
Now, posting TXT records at
_acme-challenge.theirdomain.mydomain.com in response to an ACME DNS-01 challenge from Let’s Encrypt will allow you to obtain certificates for the base name
subdomain.theirdomain.com as well as for the wildcard
*.subdomain.theirdomain.com, as long as
- the second CNAME continues to exist, and
- there are no other problems with the customer’s DNS or your DNS (such as invalid handling of mixed-case queries, or invalid DNSSEC records, or refusing to answer queries for CAA records, or whatever).