Wanting to implement HSTS across all subdomains thanks to letsencrypt.
subdomain email.mydomain.com then needs to be included as a SAN, or have its own certificate
However this email.mydomain.com has CNAME mysmtpprovider.net, it is used for emails.
Obviously I can’t verify this using certbot because its not my server. But the provider needs me to provide the certificate to them for this domain.
How can I verify this domain automatically and easily and free?
Reverse proxy from our server to mysmtpprovider (would lose visibility of client IDs which is annoying)
Manually change the CNAME every 90 days (ugh, since I’ve set up cron for all other certificates)