Renew using dns-01 challenge

Hi @StefCoene,

For those domains you don't control, you can ask the owner to create a CNAME record pointing to a domain you control so you could automate the process.


You want to issue a certificate for external.tld domain and you don't control it but you have the domain own.tld and you control it, you have a DNS API to create records etc.

1.- Ask external.tld owner to create the following CNAME record:

_acme-challenge.external.tld IN CNAME external.tld.own.tld

2.- When issuing a certificate with your client for external.tld, create a TXT record on your own DNS server pointing to the right token for external.tld

external.tld.own.tld IN TXT "here the token to validate external.tld"

3.- You are done ;). Let's Encrypt will try to get the token checking the txt record for _acme-challenge.external.tld and will follow the CNAME so it will try to get the TXT record checking the domain you control external.tld.own.tld.

The step 1 needs to be done just once so you can renew the certificate whenever you want without the need to ask the owner to create the TXT record or doing it manually.

Of course, for every domain they want to issue a cert, they need to create a CNAME and you a TXT record.

_acme-challenge.external.tld IN CNAME external.tld.own.tld
_acme-challenge.www.external.tld IN CNAME www.external.tld.own.tld
_acme-challenge.admin.external.tld IN CNAME admin.external.tld.own.tld
and so on...

Edit: Sorry, I just read @jmorahan post pointing to use this method...


1 Like