[justin_oaks]

Yes, I see that AWS Route53 can limit credential scope. That kind of thing helps a lot.

I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

[throw0101a]

> That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

At my last job we deployed a special sub-domain for that purpose (dnsauth.example.com) and manually created CNAMEs on our main (sub-)domains to point to it.

We then deployed a single (no-HA) externally exposed BIND server with a bunch of scripts that folks could connect to (we had deploy hooks scripts for users/developrs). Nowadays there even purpose-build DNS servers for this purpose:

* https://github.com/acme-dns/acme-dns

[radiowave]

My experience has been that CertBot doesn't play well with CNAME delegation, but it's probably very situational, like depending upon which DNS hosting provider plugin you're using.

My solution was to give up on CertBot and use dehydrated instead. This did require me to come up with a script to make the necessary API call to the DNS hosting, which dehydrated will then run as necessary.

[throw0101a]

> My experience has been that CertBot doesn't play well with CNAME delegation […]

A CertBot ticket on the subject opened January 2026:

* https://github.com/certbot/certbot/issues/10555