Challenge Alias for Letsencrypt
To update my letsencrypt certificates I migrated most of them from http(s)-based update to DNS-based.
The best tool for this is imho acme.sh.
But be careful: They changed their default to ZeroSSL.
So first set the default to letsencrypt:
acme.sh --set-default-ca --server letsencrypt
Now to the best feature with DNS challenge update: Update via API with one DNS provider for another DNS provider.
For example: I use the Hetzner DNS API-tokens with acme.sh. I can generate a new token for every domain.
But I have domains on INWX. Here I have to use username and password to use acme.sh -- and this feels wrong - so I don't do this.
I added for my domain at INWX this
_acme-challenge.meinsack.click. CNAME _acme-challenge.meinsack.click.madflex.de.
And now I can use the Hetzner API to update the certificate for
meinsack.click
via meinsack.click.madflex.de
The command for this:
acme.sh --issue --dns dns_hetzner --challenge-alias meinsack.click.madflex.de -d meinsack.click
The documentation for this feature: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode.