Say you have the domain important.example.org and want to obtain a wildcard certificate. One way you could do that is make a CNAME record at _acme-challenge.important.example.org that points to dnsprovider.example.com. This approach allows you to only put the DNS credentials for dnsprovider.example.com on your server for use with Certbot while keeping your credentials for important.example.org secure. This is a better approach from a security perspective and one we even recommended in https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation.
Unfortunately, Certbot doesn't let you do this because it tries to modify the domain you requested the certificate for instead of the domain pointed to by the CNAME. We cannot just always modify the domain pointed to by a CNAME, but giving the users the option to do this seems valuable to me.
There was some progress made on this in #5350 which is now closed, but the work is preserved in the branch quinot/topic/dns-follow-cnames.
Say you have the domain
important.example.organd want to obtain a wildcard certificate. One way you could do that is make a CNAME record at_acme-challenge.important.example.orgthat points todnsprovider.example.com. This approach allows you to only put the DNS credentials fordnsprovider.example.comon your server for use with Certbot while keeping your credentials forimportant.example.orgsecure. This is a better approach from a security perspective and one we even recommended in https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation.Unfortunately, Certbot doesn't let you do this because it tries to modify the domain you requested the certificate for instead of the domain pointed to by the CNAME. We cannot just always modify the domain pointed to by a CNAME, but giving the users the option to do this seems valuable to me.
There was some progress made on this in #5350 which is now closed, but the work is preserved in the branch quinot/topic/dns-follow-cnames.