Just a thought and pardon if I fall out the window on this...
What if the created ROS package for this did an inspection of the TLS SNI Domain Hint but only during the setup of a cert if using TLS-SNI mode?
This way it could capture the validation requests and respond appropriately completing the setup for it .
I say during setup only as this would have obvious impacts to resources and services while it inspects.
If users are looking for this feature they might be willing to take that knock during the small setup window every 3months per cert.
(if you don't want to, then don't install the package or setup any certs on it)
How I envisage the package options:
- Global settings for ACME protocol requirements (notification email address, etc...) or maybe allow this to also be set per cert (if anyone has the need for this?)
- allow for more than one cert (you might want different certs for different things)
- allow for multiple SANs per cert, where the first SAN in the list will be the name of the cert (the SNI domain hint inspection would look for all of these during that cert's setup/re-validation)
- allow for auto adding of Cloud DNS to a SAN (makes it easier to not fat finger it)
- allow for service(s) to be specified for use with that cert (hotspot, SSTP, OpenVPN, API-SSL, WWW-SSL, etc) further improving its automation ability
- Allow for different strength keys (more robustness and control)
Notes: why only SAN names... Common Name field removal is well underway (see more on this here: https://groups.google.com/a/chromium.or ... GT2fLJrAeo
however if users want the CN, so be it, I have no objections to it.