I'm facing challenges with automating the issuance and renewal of public SSL certificates now that their validity period has dropped to 47 days. Our current manual processes are inadequate. The main issue lies in domain validation because I don't want to provide a third party full access to our domain. Ideally, I'd prefer to just allow them to update specific TXT records, but many DNS providers make this difficult. I was considering using a CNAME with DNS delegation, but I learned from DigiCert that this approach requires a unique CNAME for each domain validation, which limits our ability to automate fully. Another option I'm exploring is persistent domain control validation with manual re-validation every 6-12 months. I'm also curious about pre-organizational validation (OV) to see if I can order domain control validation certificates for our domains since OV certificates are typically about six times more expensive than DCV certificates. How are others handling their public SSL certificates and what strategies are you using?
4 Answers
Certbot can handle automated renewals via HTTP challenges. Is that a viable option for you? It's usually my go-to because DNS validation through scripting can be tricky, as you're discovering.
Have you looked up ACME-DNS on GitHub? It could be a solution for your validation needs based on your setup.
If you're using Let's Encrypt or WinACME, check out the plugins for various DNS providers that let you use APIs for validation. This could be super helpful, especially if your sites aren't publicly facing. Just keep in mind, the issue you're facing isn't about the method but your DNS provider's limitations on record control. You really don’t want a third party having the power to validate anything they want in your zone!
Exactly! If they compromise the DNS controls, they could potentially validate anything, which is a huge security risk.
If switching DNS providers isn't an option, consider monitoring certificate creation with a service like URI Ports. It's definitely a reactive approach, which isn't ideal. But if you have the option to switch, I really liked using Route 53 — you can create IAM policies that only allow the creation of specific ACME challenge records. If you want, you could also use HTTP validation via a public server, but it can get complex and raises security concerns. Alternatively, AWS ACM might be worth the investment, allowing for an exportable private key, but you'd need to script the fetching of new certs manually. Just a note though, it does cost around $15 per domain for issuance and renewal.
It might not work for internal services that can't be exposed to the public internet, which is where things get tricky.