Per certificate challenge selection

axelo

We have a specific use case where we would love to use a specific challenge for certain certificates. Since these are multidomain SAN certificates it's not feasible to list the domains in the challenge definition itself. We have a custom HTTP backend that can return the required responses but we'd need a way to pass the information from CertWarden to our backend. In theory we could do some proxying to the HTTP challenge provider but that would be significantly more complicated.

gregtwallace

I think I'd need to see a more concrete example of what you mean.

My first thought is you'd configure the "default" / "wildcard" provider (i.e., a single domain set to *) and that would handle everything that isn't already defined.

If you're trying to generate new certificates in CW on the fly, that would be different and isn't currently supported per se, but could be done with HTTP calls since the backend is just a REST API.

axelo

gregtwallace Hi Greg, we use DNS as a default for * domains and that works great but we have a couple of SAN certificates that contain hundreds of subdomains which we'd like to provide the response using HTTP instead of DNS (as DNS could be fairly tricky since these are CNAME records - unless the same response could apply for all CNs in the SAN).

gregtwallace

Could you flip to the opposite? That is, make * the http provider and then for the few domains you want for dns set those up separately?

If one of the DNS names was also in your large (hundred whatever SANs) certs, it would do the DNS validation for those couple of dns names and http for all of the rest.