I want to use DNS-01 challenge and ACME CAA Account binding.
Because I do not want to push my DNS credentials in to every host* that should get certs, there should be a handler for this.
Many people do a reverse proxy setup for everything then. That works, but I do not want the handler to handle web traffic itself.
Does such a handler exist? Can any of them be recommended?
* Because many DNS providers do not have a concept of restricted subaccounts. And running my own DNS for every context is too much overhead.
EDIT:
Re-explanation for clarity that is a reply to timelordx
No, thats not what I asked.
I do not care for a Caddy config here. I intentionally posted in General because it is not directly a Caddy thing. I know how DNS-01 settings work. But I do not want my webservers to be able to directly manipulate my >entire< DNS zone. But just a subset. With selfhosted DNS or a flexible DNS hoster, I can create tokens or webhooks that are scoped to just the domains I want to enable for a host. But on many providers I can only get API keys that can manipulate my entire Account.
I am looking for a software that is not caddy. That acts as a shim between Caddy and a DNS hoster, that I can entrust my API key for the whole DNS hoster account to, that will filter and authorize different Caddy instances according to tokens. That software is not intended to be a reverse proxy. But just an API shim.
I’m not sure I understand what exactly you’re asking. So, I’m just going to guess.
## Default wildcard virtual used solely to obtain the wildcard certificate
*.example.com {
tls {
## Your DNS-01 settings
}
## Full Lockdown – Do Not Serve Any Content
abort
}
## The following virtuals serve the content,
## and they both are covered by the *.example.com certificate
foo.example.com {
respond "Foo"
}
bar.example.com {
respond "Bar"
}
Alternative solution: CNAME your _acme-challenge records into a different domain (eg a subdomain with separate name servers), and give Caddy API access to that domain only.
