no you don't, you can just run https://github.com/joohoi/acme-dns anywhere, and then CNAME _acme_challenge.realdomain.com to aklsfdsdl239072109387219038712.acme-dns.anywhere.com. then your ACME client just talks to the ACME DNS api, which let's it do nothing at all aside from deal with challenges for that one long random domain.

▲

Arnavion 2 days ago | parent | next [-]

You can do it with an NS record, ie _acme_challenge.realdomain.com pointing to the DNS server that you can program to serve the challenge response. No need to make a CNAME and involve an additional domain in the middle.

▲

aflukasz 2 days ago | parent [-]

Yeah, but then you can just as well use http-01 with like same effort.

▲

gruez 2 days ago | parent [-]

no, because dns supports wildcard certificates, unlike http.

	▲	cpach 2 days ago \| parent \| next [-]
		dns-01 is also good for services on a private network.
	▲	aflukasz 2 days ago \| parent \| prev [-]
		Ah, good point.

▲

8organicbits 2 days ago | parent | prev | next [-]

There's a SaaS version as well, if you don't want to self-host.

https://docs.certifytheweb.com/docs/dns/providers/certifydns...

▲

rglullis 2 days ago | parent | prev [-]

I've been hoping to get ACME challenge delegation on traefik working for years already. The documentation says it supports it, but it simply fails every time.

If you have any idea how this tool would work on a docker swarm cluster, I'm all ears.