Can I use "DNS alias mode" to issue a cert with caddy?

My main domain is, but I don`t want to configure API on it due to some security problems.
Can I use another domain with API configuration, and set a CNAME recode, just like IN CNAME to issue a cert with caddy?

Yep! This is called ACME challenge delegation. The DuckDNS plugin has built-in support for it:

Thanks for your sharing, but I found some compatibility problems between the DuckDNS plugin and zerossl, I will create a new topic to solve it.

For reference, said followup topic:

This topic was automatically closed after 30 days. New replies are no longer allowed.