It would be helpful to have a little more information about what kind of service you provide and how your customers use it (including via DNS).
In another case where customers pointed DNS records at a service, I remember suggesting that the developer could ask customers to make _acme-challenge be a CNAME to the developer’s service, which would then allow the developer to get certificates (and verify that this is set up properly) even before any other CNAME or A records are pointed at the service. Would this be feasible for you?
In general, to get a certificate from any CA you’re supposed to prove that you control the domain names that will be listed in the certificate. How do you anticipate that you would go about doing this in general for customer-registered names?
FYI service provided is web dev + hosting. My particular issue is that a lot of clients are moving an existing site - and until said site has been migrated to new solution (80% of times AWS) the automacy of Lets Encrypt isn’t easy.
In my head I see the cleanest path to use Lets Encrypt would be to manually request cert, store the DNS challenge then pass on to clients to configure. At least 50% of these clients have DNS managed by companies without APIs - their own ISP/telco how will charge for the DNS maintenance.
My initial thought is that once configured cert can be generated. But if my understanding of renewal is correct, DNS needs to be updated during renewal too.
Over the years I have found that just registering XXXdev.net for every project is easier.
No /etc/hosts hacks that prevent things like Let's Encrypt or webhooks from working, no fighting over control of DNS, a small tax-deductible expense to make life easier.
To go live you need to deal with telling them what to do with DNS anyway to point the site. I would suggest bootstrapping an initial certificate using a manual webroot challenge on their old hosting, and then after go-live, use the HTTP challenge for renewal. Avoiding the DNS challenge is a good idea when dealing with webdev clients.
You only need the DNS-01 challenge if you need wildcard certificates. If you don’t need a wildcard, you can use HTTP-01.
If you need a wildcard certificate, have all your clients CNAME the _acme-challenge onto a domain you own, set up a central acme-dns instance to manage them all, and use that for handling wildcards. solved.
A nice benefit of this method is that you can also write a script to check whether or not each customer has done it successfully. (It's true that if they fail to set it up, they may require a lot more tech support in order to figure it out, but at least you don't have to guess about whether a customer has succeeded or not.)