I want to build an ACME proxy server that acts as a bridge between internal devices and a public Certificate Authority like Let’s Encrypt.
To the Internal Devices (Clients), the server will act as a standard ACME server. It will only accept HTTP-01 challenges from these devices because that is the only method they support.
I’d like authentication to not be based on the ACME account key, but on the remote device’s source IP address and that the hostname requested has that same IP in either A or AAAA, and the domain name is allowed.
To Let’s Encrypt (Or any ACME Upstream CA): The server will act as a standard ACME client. It will take the certificate request from an authenticated internal device and obtain a certificate from Let’s Encrypt on its behalf using a DNS-01 challenge.
The proxy essentially decouples the two interactions: it “fakes” the HTTP-01 flow with the device to satisfy its requirements, while performing a real, valid DNS-01 flow with Let’s Encrypt to get the actual certificate using the CSR from the device given in the HTTP-01 flow.
p.s. If something that does this already exists, please do tell!
Same suggestion, different project, with more details. This has been tested and works!