Skip to main content
Server Fault

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

5
  • I like this solution. I'd use Route53 for the sub. I've never delegated a subdomain before. This looks like the relevant doc, do you agree? docs.aws.amazon.com/Route53/latest/DeveloperGuide/… Commented Apr 6, 2018 at 15:28
  • delegate the _acme-challenge ... zone - this would work for a single record, but that doesn't seem like it would scale very well if you had many zones, or many records and didn't want a wildcard. Commented Apr 6, 2018 at 16:44
  • 1
    @Zoredache you just have to delegate one and CNAME the other names you want verified (some people even register a completely sererate domain, because their dns provider wont let them configure API keys with appropriately restricted access). Commented Apr 6, 2018 at 17:01
  • 1
    I attempted the subdomain solution and I think I hit a fatal blocker. The certbot-dns-route53 plugin expects to modify the primary domain, which lives in one Route53 hosted zone. I modified the IAM policy to allow it to modify the new subdomain, which is in a different hosted zone. The plugin died, complaining that it could not modify the hosted zone that it wanted to modify. It's opinionated about which hosted zone it wants to modify, and it doesn't appear to be smart enough to handle the subdomain solution. Commented Apr 6, 2018 at 17:26
  • oh, i see the problem "_find_zone_id_for_domain" is supposed to figure out which one to modify, but they use that to figure out the zone responsible for the validation domain, not the actual record. Commented Apr 6, 2018 at 18:49