| ▲ | wrxd 3 hours ago | |
I use the acme dns-1 challenge on my public domain. That gives you certificates you can use as you see fit, without needing to expose anything else to the public internet. I also use Tailscale so I configure my DNS to use my Tailscale IP addresses. If you don’t want to expose them on a public DNS server you can add them only to an internal DNS server. | ||
| ▲ | throw0101d 3 hours ago | parent | next [-] | |
> I use the acme dns-1 challenge on my public domain. See also perhaps DNS aliasing in case you are not able to dynamically update your 'primary' domain, but can update a secondary or sub-domain: * https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo... So if "example.com" is control by Corporate IT, and they don't want 'random' folks fiddling with it, then you can create a "dnsauth.example.com" and point the dns-1 challenge record from "…foo.example.com" to "foo.dnsauth.example.com" (or a completely different domain, like "…example.net"). There are DNS servers written strictly focused on this use case: * https://github.com/acme-dns/acme-dns Also code that handles a bunch of DNS provider APIs so you don't have to roll your own for ACME client hooks: | ||
| ▲ | adontz 3 hours ago | parent | prev [-] | |
Moreover you can delegate domain to improve security. https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se... | ||