I’m in a situation where certificates are being used on a machine that is not publicly available. Everything on this machine, including the Apache config and SSL cert, is deployed via RPM packages which are built on a different machine.
This presents a problem because in order to use letsencrypt and the webroot authenticator, I have to temporarily change the DNS entry to a publicly available machine and run letsencrypt there, then change it back, then copy the cert into the right place for deployment.
The fact that the IP address used for webroot authentication is not the one that is ultimately used during deployment makes it difficult to automate renewal, and in any case breaks DNS during that window.
It would be nice if you could tell the webroot authenticator “use this other DNS name for verification”. For example, to authenticate “www.example.com” letsencrypt would instead perform the webroot check on “_letsencrypt_verification.www.example.com”. I’m sure the security team will barf all over that idea though.
What do you recommend in my situation?