Use case
DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.
One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)
Your idea for a solution
DNS01Solver in the certmagic package has a OverrideDomain field:
// Override the domain to set the TXT record on. This is
// to delegate the challenge to a different domain. Note
// that the solver doesn't follow CNAME/NS record.
OverrideDomain string
Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:
tls {
loader acme {
hostname example.com
email hello@example.com
agreed
challenge dns-01
override_domain example-acme-challenge.com
dns cloudflare {
api_token "..."
}
}
}
Use case
DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.
One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)
Your idea for a solution
DNS01Solver in the certmagic package has a OverrideDomain field:
Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup: