0

Is there ANY way to automatically renew LetsEncrypt certificates without

  1. Having an A record to that domain
  2. Updating the DNS zone at each renew

Example: I would like to use it for my XMPP server which uses SRV records. I do not want to add an A record.

I could manually add a TXT record. However, it seems this must be done at each renewal and hence, it is not practical. I do NOT want to change a TXT record at each renewal.

I could use nsupdate in a script but I do not want to set up dynamic DNS just for that.

Methods I could think of:

  1. Put a public key as TXT record in DNS (one time!). Each renewal, a challenge is signed with the corresponding private key. By far the most elegant

  2. A special SRV record which points to a service where a temporary TCP server is opened to service that request

  3. An email with a challenge is sent to an address in whois of the parent domain which is automatically replied to using an SMTP server

Improve this question

1 Answer 1

Reset to default
0

There are several different challenge methods as part of the ACME spec. These are the only ways you can verify your domain, so you will have to choose one of the specified challenge methods. Based on your description the DNS challenge (setting a TXT record) sounds like the easiest method to use without setting up/exposing a webserver, but you will have to decided which is best for your situation.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .