Let's encrypt domain authentication can be done two ways:
- through HTTP challenges
- through DNS validation
The HTTP challenges work smoothly, as long as nginx is correctly configured, and web server is still alive. But how to create Openfire certificate with domains split between two serveurs (nasqueron.org on Ysul for webserver-legacy role, xmpp.nasqueron.org conference.nasqueron.org on Equatower for docker-paas role)?
The DNS challenges have been tested with manuale client, but how to automate the process? HE doesn't provide an API to update TXT records while T1217 is still open. In both scenarii, we would give full control of the DNS to each server.
A fine solution is to have a DNS with the only task to manage TXT records for Nasqueron domains, e.g. *.acme.nasqueron.org and use CNAME records to wire _acme-challenge.domain.tld to something.acme.nasqueron.org. Then, we give Let's Encrypt clients full control of this specific DNS to automate DNS verifications.