On 11:45 Fri 02 Mar, Etienne wrote: > Well, really, what you're asking for is having acme-client offload the > complicated stuff (set the TXT records, then check for verification) to a > script, which to me looks pretty much the same as writing a script to do > everything.
I'm not. Writing TXT entries can be done the same way acme-client(1) handles TLS challenges now. > I believe you'll see limited advantage in having acme-client do > any work here, compared to having your script issue the CSR, send it to > Letsencrypt, receive the TXT records, and do the rest of the complicated > stuff mentioned above. I'm not suggesting that we should put ALL this in a script. Ideally your script should be like this: #!/bin/sh doas _acmedns nsd-control reload <zone> That's all. DNS challenge is only different from a TLS challenge in one simple bit -- you need to reload your DNS server configuration before answering to the ACME server. > I think acme-client's value is where the certificate for a server, the > server, and the verification challenge/process all take place on the same > machine. But the DNS service is likely to be handled by another (or rather, > many other) machine(s). You can generate your certs in one place and then distribute them to your frontends.