Our great sponsors
-
acme-dns
Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Yes. You can have a CNAME _acme-challenge.example.com point to _acme-challenge.example.ORG or a sub-domain like _acme-challenge.DNSAUTH.example.com.
At work we use the sub-domain method and just have a small non-HA VM with some scripts that allow ACME clients to update particular TXT records. Each ACME client is given an individual key and allowed to only update a particular record.
Folks have specifically written DNS servers to do just this:
* https://github.com/joohoi/acme-dns
However we used BIND with some custom scripting.
Also known as "DNS challenge delegation".
I have this implemented (with help) for the libdns plugin for DuckDNS, which can be used with Caddy.
So basically, you can use a free https://www.duckdns.org/ domain to solve DNS challenges, for your domain which may be managed by any other DNS provider.
https://github.com/caddy-dns/duckdns#challenge-delegation
I do this with my domain I have registered with Google Domains, because they have no API at all right now.
I don't disagree, but in the meantime, a handy CLI utility that can handle a bunch of APIs:
* https://github.com/AnalogJ/lexicon
This way you only have to write one set of boiler plate in case you use multiple providers (or want to change providers).