AutoSSL: DNS challenge validation
Let’s Encrypt allows for DNS challenge validation as an alternative to HTTP/S challenge validation.
The DNS method allows certificates to be properly issued and renewed even if the HTTP/S method fails due to redirections, custom rewrites, and other factors.
For this reason, we currently try (via a custom client) the DNS method first, and only switch to the HTTP/S method if the DNS method fails. We would like to switch from using a custom client to AutoSSL, but the latter only supports the HTTP method.
Once DNS challenge validation is implemented, we recommend offering the following options in WHM:
- Try DNS challenge first, then HTTP/S challenge
- Try HTTP/S challenge first, then DNS challenge
- Try DNS challenge only
- Try HTTP/S challenge only
This could be set on a server-wide, per-package, per-account, and per-domain basis.