Hi, newbie here, though I have read the FAQs and searched the forum before asking this: we have a web server on a subdomain and I'd like to use LetsEncrypt there, but if that server is hacked, I don't want the attacker to be able to issue certificates for the domain (nor for any other subdomains).
Is this a valid concern or is the domain validation automatically limited to the subdomain?
Thanks for any help and sorry for any ignorance on my part.
The biggest possible threat there is if your server gets compromised and you use dns-01 to get your certificate automatically, as your dns credentials or api keys could get leaked. This can and does get scary if your api key is not scoped.
If you use http-01 or tls-alpn-01, each server can only get certificates for names (complete fqdns) pointing to its IP addresses.
If you want to limit what certificates can be issued for what domain names, you should look at what you can do with CAA records, which can be limited with the accounturi parameter to allow Let's Encrypt only for a specific ACME account.