Support for mismatched domains for DNS-01 Providers (For CNAME setups)
sierja opened this issue · 1 comments
Some domain operators may use a CNAME for their _acme-challenge
record to point elsewhere, something which is supported by Let's Encrypt.
Consider this DNS record:
_acme-challenge.example.com. IN CNAME acme-validation.example.net.
When requesting a certificate for example.com
using a DNS-01 challenge, certbot needs to actually update acme-validation.example.net
TXT record, not the _acme-challenge.example.com.
TXT record. It would be useful to have parameters to inform certbot to use the latter when updating the TXT record for a given DNS provider.
Take this example command as a suggestion on how such a parameter could work:
certbot certonly --duplicate --agree-tos --email example@example.com --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 130 -d example.com --dns-cloudflare-challenge-alias example.com:acme-validation.example.net
--dns-cloudflare-challenge-alias
could reference a -d
domain and then the subsequent record that should actually be updated using the respective certbot DNS plugin (in this example, it's Cloudflare). Such a parameter could be specified repeatedly in the event multiple -d
domains are specified/required.
Here is acme.sh's docs on it's own implementation.
Such functionality would be useful when a domain operators delegate the handling of the DNS-01 challenge to a certbot supported DNS provider if their main DNS zone provider is not supported.