I’m a newbie planning to use letsencrypt for my macOS based services. Currently I’m using my own CA and distribute its root to the systems that need it. But I need a wider coverage.
I’ve been looking at letsencrypt and my main problem is that I want to have this fully automated, so I can setup a cron job. Covering the main web site will be easy enough, I suspect, but currently I’m using a wildcard certificate to cover all services. I have no problem using specific certificates for all services that I use, as long as I can rely on autorenewal and the service doesn’t get interrupted.
My first question is: if I use a DNS challenge, does that mean that on each renewal, the challenge in the _acme-challenge TXT record will have to change? If so, that I cannot automate as my DNS is hosted externally (split DNS actually)
My second question is: if I do not use wildcards and I try to get a certificate for (say) www.rna.nl and mail.rna.nl (for postfix) is it enough to have control over the webroot of www.rna.nl or does mail.rna.nl have to have a web server that listens on port 443 as well?