On 15:20 Thu 01 Mar, Solène Rapenne wrote: > It is not easy to implement because this requires access to your > DNS server (like nsd or bind) or your registrar admin API which would > require adding plugins for each API.
Well... that's why it's called DNS challenge, right? > It is more complicated than creating a file in a folder. With a little luck it's not. Both NSD and BIND allow you to include files in zone configuration like this: /path/to/your/zones/zone.foo.bar /path/to/your/zones/zone.foo.bar.acme.inc So the whole process possibly boils down to this: 1. Receive a challenge 2. Write TXT record to a file 3. Politely ask your DNS daemon to reload the zone 4. Reply to the ACME server 5. Grab your certificates The only problem here is #3, but it's possible to create e.g. another pledged process that can only execute /etc/acme-client/dns-challenge.sh and you can put all your complicated stuff there.