Hi, I request Autocert support for issuing Let's Encrypt certificates using DNS verification, with enhancements to support usability in a frequent-renewal environment. Autocert can make use of existing LE implementation code. There are two primary challenges of LE vs. Digicert: LE needs to be renewed and redeployed often, automatically; and, LE requires a TXT record to be set during the renewal process if http://hostname:80/.well-known/acme doesn't work (as it doesn't for internal DNS). Assuming we convert all AWS and Heroku to their respective built-in free certificates, what we have left is primarily hosted in two places: on Zeus (external and internal certificates), and on fqdn:/etc/ssl/certs/fqdn.crt (internal certificates). Automatic deployment to Zeus is implemented for the former, but the latter needs more consideration and a plan. So, I'd like Autocert to specifically support issuing valid LE certs using the DNS TXT record method. This would require an API call to Inventory/Infoblox to update a TXT record for LE verification. A cron would then eventually poll LE and get back the signed certificate rather than "TXT record not updated yet". Doing all of this permits us to create certificates for any hostname under any domain name we control, for external and internal use, in an automated and low-maintenance fashion, fully replacing Digicert (and a chunk of spend) with free (Mozilla-sponsored) Let's Encrypt.
Note that this will be a very popular feature for other departments within Mozilla. We may be asked to grant non-Webops access to Autocert when this becomes available, so that customers can auto-update their server's certificates using Autocert instead of running certbot+inventory+dns+etc locally.