[AlbinoDrought]

"Delegated Domains" might interest you [0].

In this mode you manually configure a CNAME record once like "_acme-challenge.important.example => _acme-challenge.lessimportant.example" and then setup your client with DNS API keys for the lessimportant.example domain. You still get valid certs for your important domain without exposing creds for it.

A leaked key would prevent attackers from changing your important DNS records, but they could still generate valid certs for your important domain.

We bought a cheap domain (~$14/y) for this purpose and hooked it up to a DNS provider with a better API than our main provider. It has worked great and gives some peace of mind.

[0]: https://cert-manager.io/docs/configuration/acme/dns01/#deleg...

[TekMol]

Even more moving parts you need to set up and maintain.

It introduces a 4th party you depend on. Now you have:

1: The datacenter where your application runs

2: The DNS server

3: Let's Encrypt

4: The "DNS provider with a better API"

[rossy]

The "DNS provider with a better API" can be your own bind9 server on the same machine as certbot, updated with RFC 2136. Completely standard, no changing APIs, no 4th party, no maintenance. I set up a server like this at work and haven't touched it for a year and a half.

[gunapologist99]

bind hasn't exactly had a flawless security history...

(also hope that not touching it means you've automated security updates at least)

[blibble]

use the same provider (but a different account)?

you are unavoidably dependent on 1-3 anyway

[edoceo]

Neat! Thanks for sharing this.