I have a couple of certs, and they tend to get more. I don't know where the limit is, but it doesn't look nice that way. I would prefer to have a single cert that covers all the (virtual) hosts under a certain domain (like *.example.org).
I learned that this is possible, but makes it necessary to use a DNS-XX challence.
Currently I am using certbot with "webroot" enabled, and this seems to be a global option - all-or-nothing, one cannot manage some certs via "webroot" and others via DNS.
This appears to be a problem, because I have some certs where I can access the DNS and others where I cannot.
Then, looking for the way to do the DNS challenge, I find a couple of certbot plugins, but they seem to cover commercial DNS providers (or whatever that is, I don't understand most of it).
An exception is the "dns-rfc2136" plugin. This should do dynamic updates as documented here. Dynamic updates are problematic; they normally do not increment the serial, and they will have race-conditions with the regular updates of the zonefiles, specifically in hierarchical master/slave configurations (e.g. "hidden primary"). Correctly handling a zone with mixed static/dynamic content appears to be a PITA.
What I specifically did not find is some means to interact with the given backend of the DNS system, whatever that might be: a DLZ database, a DNSSEC signing system, or simply some zonefiles to be edited with unix tools (sed&awk).
So I currently assume this has to be done with a self-written hook, and "manual" mode. The important question hereby is: How much time do I have?
In my case, I have a DNSSEC signer that lives in a vault, right beside certbot (which also lives in the vault). An interaction would be very easy to implement: write an include for the zonefile, kick rebuild, and - wait.
This will then take a while. The signer has to do it's job, then it must send out the fresh zonefile to the backend primary, then it will get distributed to the slaves. Then comes the matter of DNS caching, which is quite interesting and complicated.
So, on the safe side, one might want to wait an hour or more before proceeding - which is just fine because we usually have a full month before expire, and it runs automated anyway. But how long is it allowed to take?
I didn't find information about allowable delays. Instead, I found a fancy discussion about the definition of the word "propagation". (This is something new; I normally know this kind of discussion only about the definition of the word "bug".) Obviousely, such doesn't help me here.
Any ideas? Any cool comments? Anybody running something similar? Or, anybody knowing the actual allowable delay?