On 11:45 Fri 02 Mar, Etienne wrote:
> Well, really, what you're asking for is having acme-client offload the
> complicated stuff (set the TXT records, then check for verification) to a
> script, which to me looks pretty much the same as writing a script to do
> everything.

I'm not. Writing TXT entries can be done the same way acme-client(1)
handles TLS challenges now.

> I believe you'll see limited advantage in having acme-client do
> any work here, compared to having your script issue the CSR, send it to
> Letsencrypt, receive the TXT records, and do the rest of the complicated
> stuff mentioned above.

I'm not suggesting that we should put ALL this in a script. Ideally your
script should be like this:

        doas _acmedns nsd-control reload <zone>

That's all. DNS challenge is only different from a TLS challenge in one
simple bit -- you need to reload your DNS server configuration before
answering to the ACME server.

> I think acme-client's value is where the certificate for a server, the
> server, and the verification challenge/process all take place on the same
> machine. But the DNS service is likely to be handled by another (or rather,
> many other) machine(s).

You can generate your certs in one place and then distribute them to
your frontends.

Reply via email to