Discussion
justin_oaks: I read a lot about people running things like Caddy which will automatically retrieve Lets Encrypt certificates. And I think it makes sense for publicly accessible web sites since you can use an HTTP challenge with Let's Encrypt.For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?
kro: In Q2 this year, so very soon, there will be the DNS PERSIST method, which is non rotating.
mdhowle: DNS-PERSIST-01 is coming soon https://letsencrypt.org/2026/02/18/dns-persist-01
bombcar: There is a way to delegate the DNS challenges, but you can also create a dummy Caddysite for HTTP challenge (e.g., firewall.internal.example.com resolves externally to an IP that Caddy will respond to and get the certificate, and then said certificate is copied internally to whatever needs it).
dns_snek: > Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?I'd look for a custom DNS challenge provider plugin which delegates the task of creating DNS records to another machine which holds the actual token.
justin_oaks: Oh... that's fantastic! It specifically addresses my concerns about needing DNS credentials accessible to scripts.The article says it is for those who> prefer to keep DNS updates and sensitive credentials out of their issuance path.
yegle: You should have used the `--deploy-hook` on certbot. I use this to copy the cert to Synology NAS and trigger a reload of the cert on the NAS.BTW: The easiest way to run certbot in a container is to mount a renew script (some shell script as simple as `certbot renew`) to /etc/periodic/daily/renew, then change the container's entrypoint to `crond -d6 -f`.
