Working Draft: https://datatracker.ietf.org/doc/html/draft-ietf-acme-dns-persist
This will allow to issue certs without open ports or I'm currently working on it in this tree: https://github.com/kanashimia/haproxy/tree/acme-dns-persist-01 It is already basically implemented, but I still want to wait some time before merging, as there isn't any good CA available yet really, had to roll my own. Tested against this one too: https://github.com/rafaelgieschke/serles-acme Letsencrypt stated that they will implement it this year. Some script needs to be written to print DNS record ahead of time. I used this one to get account uri: https://github.com/pawlakus/acmecli Posting this to ask for feedback and opinions before contributing, it is my first contribution here. My branch assumes that DNS records are already created and propagated, maybe that could be improved. Maybe haproxy should check propagation for both DNS challenges in its code? I'm not sure how to do that myself. Also, while implementing it I found that `domains "foo,*.foo"` will ask for foo dns record two times, while with dns-persist-01 wildcard record on foo already authorizes both, and so currently it incorrectly prints log message two times with two records on my branch, have any ideas with that? CC me when replying (as per contributing instructions)
