Wanting to implement HSTS across all subdomains thanks to letsencrypt.
subdomain email.mydomain.com then needs to be included as a SAN, or have its own certificate
However this email.mydomain.com has CNAME mysmtpprovider.net, it is used for emails.
Obviously I can’t verify this using certbot because its not my server. But the provider needs me to provide the certificate to them for this domain.
How can I verify this domain automatically and easily and free?
Current ideas:
Reverse proxy from our server to mysmtpprovider (would lose visibility of client IDs which is annoying)
Manually change the CNAME every 90 days (ugh, since I’ve set up cron for all other certificates)
If you don’t have control over the host behind that domain name, you can use a DNS-based challenge like DNS-01. To put it simply, all you need to do is create a TXT record with a verification token. You’ll have to change that token with each renewal (i.e. at least every 90 days), so a way to automatically create that DNS record would be useful.
You won’t be able to do this with certbot, but a number of other clients support DNS-01. Take a look at the bash clients or lego. Some of these clients (like lego) also include support for various DNS provider APIs, which would be useful for automation.