I am new to Let’s Encrypt and am considering using it for a project where I would have to issue certificate for specific sub-domain without having direct access to the top-level domain DNS servers themselves.
So per example, I would want to issue a certificate for test.example.com and I could pass a challenge for a file hosted on test.example.com but not example.com (because another team controls the top-level).
Question is, does the ACME protocol allow for validation to be done on the sub-domain for which the certificate was requested or is it always done from the top-level domain no matter what?
Yes, validations are all performed on the specific domain requested. The only reason you would not be able to receive a certificate for a subdomain is if a higher level domain has a CAA record prohibiting Let’s Encrypt from issuing certificates for that domain.
I think @jsha also said that, somewhat counterintuitively in terms of what we might expect from DNS hierarchy, you are allowed to override that CAA record with a more-specific CAA record permitting the issuance.
That’s actually very useful to know especially the part about the sub-domain CAA overriding the top-level CAA, this could come in useful! Thanks for the link to the documentation.
Details at