go-acme/lego#900

👋 Hi @lenovouser,

I'm sorry you found yourself in a situation where you couldn't renew the ACME DNS certificate.

I don't think that making TLS certificate validation configurable is the right solution. I'm hesitant to add a lever that will be a security downgrade 99.99% of times and a useful feature the remaining 0.01%. It looks like the first-party Python ACME DNS library by @joohoi doesn't expose a way to do this either.

Beyond encouraging adding monitoring of your ACME DNS HTTPS certificate expiry I think the best path forward would be to amend the upstream ACME DNS project README to call out this specific danger. The safest way to avoid this situation is to recommend that users that want to use ACME DNS with an HTTPS API should let ACME DNS get its own certificate using its built-in autossl (e.g. using tls = letsencrypt in the acme-dns config) instead of using an ACME client dependent on the ACME DNS API to get the certificate. I'll work on a PR for this shortly.

I'm going to close this issue since I don't think it is fit for implementation. Thanks!

I'll work on a PR for this shortly.

Here's a acme-dns README update that I think helps address this situation: joohoi/acme-dns#169

The ACME-DNS README now has a warning about this case: https://github.com/joohoi/acme-dns#https-api