Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
Other
31.12k
stars
3.38k
forks
source link
Support for mismatched domains for DNS-01 Providers (For CNAME setups) #9902
Some domain operators may use a CNAME for their _acme-challenge record to point elsewhere, something which is supported by Let's Encrypt.
Consider this DNS record:
_acme-challenge.example.com. IN CNAME acme-validation.example.net.
When requesting a certificate for example.com using a DNS-01 challenge, certbot needs to actually update acme-validation.example.net TXT record, not the _acme-challenge.example.com. TXT record. It would be useful to have parameters to inform certbot to use the latter when updating the TXT record for a given DNS provider.
Take this example command as a suggestion on how such a parameter could work:
--dns-cloudflare-challenge-alias could reference a -d domain and then the subsequent record that should actually be updated using the respective certbot DNS plugin (in this example, it's Cloudflare). Such a parameter could be specified repeatedly in the event multiple -d domains are specified/required.
Such functionality would be useful when a domain operators delegate the handling of the DNS-01 challenge to a certbot supported DNS provider if their main DNS zone provider is not supported.
Some domain operators may use a CNAME for their
_acme-challenge
record to point elsewhere, something which is supported by Let's Encrypt.Consider this DNS record:
When requesting a certificate for
example.com
using a DNS-01 challenge, certbot needs to actually updateacme-validation.example.net
TXT record, not the_acme-challenge.example.com.
TXT record. It would be useful to have parameters to inform certbot to use the latter when updating the TXT record for a given DNS provider.Take this example command as a suggestion on how such a parameter could work:
--dns-cloudflare-challenge-alias
could reference a-d
domain and then the subsequent record that should actually be updated using the respective certbot DNS plugin (in this example, it's Cloudflare). Such a parameter could be specified repeatedly in the event multiple-d
domains are specified/required.Here is acme.sh's docs on it's own implementation.
Such functionality would be useful when a domain operators delegate the handling of the DNS-01 challenge to a certbot supported DNS provider if their main DNS zone provider is not supported.