Because while Nginx always has access to .well-known, thing that validates on issuer side might not. I use DNS challenge to issue certificates for domains that resolve to IPs in my overlay network.

The issue is that supporting dns-01 is just supporting dns-01 it's providing a common interface to interact with different providers that implement dns-01.

▲

petee 2 days ago | parent [-]

dns-01 is just a challenge; which api or dns update system should nginx support then? Some API, AFXR, or UPDATE?

I think this is kinda the OPs point, nginx an http server, why should it be messing with dns? There are plenty of other acme clients to do this with ease

▲

2 days ago | parent | next [-]

[deleted]

▲

0x457 a day ago | parent | prev [-]

I mean, you just repeated my explanation why supporting dns-01 in nginx isn't straightforward has http-01. I've explained why dns-01 challenge is still useful and might be required for some users.

▲

petee a day ago | parent [-]

I misread your first paragraph, and was more responding to the second that I took as supporting the adding the dns implementation in reply to the OP.

It may still be required by some users, but I don't think that it makes sense for nginx

	▲	0x457 13 hours ago \| parent [-]
		> I took as supporting the adding the dns implementation Well, I am supporting it, but I pointed why it's not as straightforward as supporting http-01. > I don't think that it makes sense for nginx It makes sense for nginx because ultimately I don't make certificates just for the fun of it, I do it to give it to some HTTP server. So it makes sense. However, this isn't a future that will be not used by paid users, and F5 seems to be opposing making OSS version users lives better.