Is there ANY way to automatically renew LetsEncrypt certificates without
- Having an A record to that domain
- Updating the DNS zone at each renew
Example: I would like to use it for my XMPP server which uses SRV records. I do not want to add an A record.
I could manually add a TXT record. However, it seems this must be done at each renewal and hence, it is not practical. I do NOT want to change a TXT record at each renewal.
I could use nsupdate
in a script but I do not want to set up dynamic DNS just for that.
Methods I could think of:
Put a public key as TXT record in DNS (one time!). Each renewal, a challenge is signed with the corresponding private key. By far the most elegant
A special SRV record which points to a service where a temporary TCP server is opened to service that request
An email with a challenge is sent to an address in whois of the parent domain which is automatically replied to using an SMTP server