Support for mismatched domains for DNS-01 Providers (For CNAME setups)

[sierja]

Some domain operators may use a CNAME for their _acme-challenge record to point elsewhere, something which is supported by Let's Encrypt.

Consider this DNS record:

_acme-challenge.example.com. IN CNAME acme-validation.example.net.

When requesting a certificate for example.com using a DNS-01 challenge, certbot needs to actually update acme-validation.example.net TXT record, not the _acme-challenge.example.com. TXT record. It would be useful to have parameters to inform certbot to use the latter when updating the TXT record for a given DNS provider.

Take this example command as a suggestion on how such a parameter could work:

certbot certonly --duplicate --agree-tos --email example@example.com --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini --dns-cloudflare-propagation-seconds 130 -d example.com --dns-cloudflare-challenge-alias example.com:acme-validation.example.net

--dns-cloudflare-challenge-alias could reference a -d domain and then the subsequent record that should actually be updated using the respective certbot DNS plugin (in this example, it's Cloudflare). Such a parameter could be specified repeatedly in the event multiple -d domains are specified/required.

Here is acme.sh's docs on it's own implementation.

Such functionality would be useful when a domain operators delegate the handling of the DNS-01 challenge to a certbot supported DNS provider if their main DNS zone provider is not supported.

[sierja]

This is a duplicate of https://github.com/certbot/certbot/issues/6566, apologies.