[kuschku]

> Well, one of the "challenges" is the one in a different comment: most registrars don't allow fine-grained control over who can update what DNS records.

Afaik, every major registrar allows you to add an NS record for the _acme-challenge subdomain, allowing you to put the _acme-challenge subdomain on a custom, self-hosted DNS server.

That in turn allows you to make the permissions as specific as you'd like. Personally I just run powerdns in docker for this.

[TheNewsIsHere]

Using CNAME delegation for the ACME challenge domain and directing that to a Route 53 zone is my preferred approach. Then (as long as you have CloudWatch configured) you get inherent auditing and very flexible privilege management.

[cj]

That wouldn't work for this use case though would it? AWS doesn't allow downloading the certificate (I could be wrong)? Typically certificates can only be used with other AWS services. E.g. you can't download the certificate and serve it from a home server.

[vladvasiliu]

You're not wrong, but the idea here is not to use AWS' certificate manager but their DNS service on which you would only handle the acme-challenge subdomain. This would allow you to limit who can update which subdomain. The LE cert is obtained normally.

[attentive]

there is also https://github.com/joohoi/acme-dns and LE clients like lego supporting it.