I'm really excited for this. We moved 120+ hand renewed certs to ACME, but still manually validate the domains annually. Many of them are on private/internal load balancers (no HTTP-01 challenge possible), and our DNS host doesn't support automation (no DNS-01 challenges either). While manually renewing the DCV for ~30 domains once a year isn't too bad, when the lifetime of that validity shrinks, ultimately to 9 days, it'd become a full time job. I just hope Sectigo implements this as quickly as LE.

▲

9dev 2 hours ago | parent [-]

For the love of god, switch to a DNS provider with an API. Whatever legacy behemoth you’re working with doesn’t justify a gap this wide.

▲

amluto 36 minutes ago | parent [-]

Name one that doesn’t have an AWS-style per-query cost.

(There might well be a nice one, but I haven’t found it yet.)

▲

toast0 a few seconds ago | parent | next [-]

If it's for a business, I would contact them to see if they have a commercial offering, but I think the Hurricane Electric Free DNS might actually fit.

https://dns.he.net/

▲

radiator 4 minutes ago | parent | prev | next [-]

Hetzner DNS

▲

nfredericks 18 minutes ago | parent | prev [-]

Might be obvious, but Cloudflare

	▲	amluto 10 minutes ago \| parent [-]
		No. Cloudflare will give a key scoped to an entire administrative domain in the Cloudflare sense like “a.com”. They will not give you a key scoped to a single entry within that domain. (That entry would be a domain in the RFC 9499 sense, but do you really expect anyone to agree on the terminology?) In particular, there is no support for getting a key scoped to _acme-challenge.a.b.c or, even better, to a particular RR. Maybe if you have an enterprise plan you can very awkwardly fudge it using lots of CNAMEs and subdomains. Some DNS hosts that support old-school dynamic dns can do this. dns.he.net is an example, but they have a login system that very much stuck in the nineties.