On 01/03/18 14:39, Consus wrote:
It is more complicated than creating a file in a folder.
With a little luck it's not. Both NSD and BIND allow you to include
files in zone configuration like this:
[...]
The only problem here is #3, but it's possible to create e.g. another
pledged process that can only execute /etc/acme-client/dns-challenge.sh
and you can put all your complicated stuff there.
Well, really, what you're asking for is having acme-client offload the
complicated stuff (set the TXT records, then check for verification) to
a script, which to me looks pretty much the same as writing a script to
do everything. I believe you'll see limited advantage in having
acme-client do any work here, compared to having your script issue the
CSR, send it to Letsencrypt, receive the TXT records, and do the rest of
the complicated stuff mentioned above.
I think acme-client's value is where the certificate for a server, the
server, and the verification challenge/process all take place on the
same machine. But the DNS service is likely to be handled by another (or
rather, many other) machine(s).
Cheers,
--
Étienne
