The current protocols require port 80 or 443 to be open or the use of a proprietary Dns API.
If you can't use these methods then you need to manually intervene to renew a certificate.
I would like to propose an alternate method that doesn't require intervention for renewals.
The acme client (of other tool); generates a pub/pri key pair.
There pub key is added as a DNS record - something like a txt record.
To acquire a cert the acme client sends a cert request that contains the desired DNS which is signed by the private key.
The le servers do a DNS request to obtain the public key. The requests signature is validated and the cert returned.
Motivation
This provides a simpler middle ground for non acme clients, when the server can't open ports and implementing support for all possible DNS APIs isn't practical.
I build web servers, for internal systems,and my customers don't like to have to open ports.
Even when using the likes of caddy I have to add some barely supported DNS API client to get it operational. This protocol would make installations easier - just generate a pub/priv as part of the install and up load the key to DNS
This appears to be a much cleaner path than the existing protocols.
