Feature: follow CNAME records or allow to define CNAME of _acme-challenge.example.com

[wowcut]

The ACME validation system follows CNAME records - this allows to find a solution for problematic situations, e.g. when servers are not reachable from the public internet. You can define a CNAME for the _acme-challenge subdomain that points to a different domain and set the TXT record of that target domain instead of the original domain. This is also very helpful when you do not want to or can not access the nameserver of the original domain via an API.

Of course the ACME client has to understand that concept - so there needs to be a way to define that existing CNAME or the client has to be smart enough to follow that CNAME. Probably the easy quick fix would be to add some configuration option / parameter that allows to define the actual CNAME target domain to be updated instead of always using the domain defined by the -d parameter.

The acme.sh client has this feature implemented as DNS alias mode - that wiki entry explains the concept very well.

It would be very useful if you would like to support that feature so users of this software can do everything that is possible with LE and certbot without limitations.

Thank you very much for your attention!

[ciphax]

I see your point and this should be not hard to implement. Unfortunately I don't have much spare time at the moment but I'll look into implementing this soon.

[wowcut]

Where are you planning to get the target (the "alias") domain from? From DNS or by a parameter?
Thank you very much for your attention and your quick answer!

[ciphax]

I think the best solution would be to lookup the real domain by using dns which should be easy to implement since we are already using trust-dns-resolver for verifying that the record is publicly visible.

[ciphax]

This feature is now available in version 1.1.0.