Somewhat related - I made a bridge server [1] that lets ACME clients use standard RFC2136 to solve DNS-01 challenges for internal names without them needing credentials for the actual DNS backend (Route 53 in my case).
I did exactly the same for our local-cloud products.
Our local-cloud program connects to our "certificate server", and asks for a name/ip combination.
Our certificate server gets it using API access to our "local-cloud" domain. The local machine receives it.
So the end user does not have the Domain credentials. They have credentials to our cert server, but those have very limited value (and would need to be decrypted first.)
bruce511|2 years ago
Our local-cloud program connects to our "certificate server", and asks for a name/ip combination.
Our certificate server gets it using API access to our "local-cloud" domain. The local machine receives it.
So the end user does not have the Domain credentials. They have credentials to our cert server, but those have very limited value (and would need to be decrypted first.)
linsomniac|2 years ago
I have a workflow for creating AWS credentials that are restricted to doing the LetsEncrypt DNS challenges for just a single sub-domain, and that seems to be working well. https://linsomniac.gitlab.io/post/2019-09-10-letsencrypt-wit...