tls/acme: Add support for DNS-01 domain delegation

See #588.

Author: foxcpp

docs/reference/tls-acme.md

@@ -20,7 +20,13 @@ smtp tcp://127.0.0.1:25 {
 You can also use a global `tls` directive to use automatically
 obtained certificates for all endpoints:
 ```
-tls &local_tls
+tls {
+    loader acme {
+        email [email protected]
+        agreed
+        challenge dns-01
+    }
+}
 ```
 
 Currently the only supported challenge is dns-01 one therefore
@@ -87,6 +93,15 @@ back to the one configured via 'ca' option.
 
 This avoids rate limit issues with production CA.
 
+**Syntax:** override\_domain _domain_ <br>
+**Default:** not set
+
+Override the domain to set the TXT record on for DNS-01 challenge.
+This is to delegate the challenge to a different domain.
+
+See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
+for explanation why this might be useful.
+
 **Syntax:** email _str_ <br>
 **Default:** not set
 

internal/tls/acme/acme.go

@@ -39,15 +39,16 @@ func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
 
 func (l *Loader) Init(cfg *config.Map) error {
 	var (
-		hostname   string
-		extraNames []string
-		storePath  string
-		caPath     string
-		testCAPath string
-		email      string
-		agreed     bool
-		challenge  string
-		provider   certmagic.ACMEDNSProvider
+		hostname       string
+		extraNames     []string
+		storePath      string
+		caPath         string
+		testCAPath     string
+		email          string
+		agreed         bool
+		challenge      string
+		overrideDomain string
+		provider       certmagic.ACMEDNSProvider
 	)
 	cfg.Bool("debug", true, false, &l.log.Debug)
 	cfg.String("hostname", true, true, "", &hostname)
@@ -60,6 +61,8 @@ func (l *Loader) Init(cfg *config.Map) error {
 		certmagic.LetsEncryptStagingCA, &testCAPath)
 	cfg.String("email", false, false,
 		"", &email)
+	cfg.String("override_domain", false, false,
+		"", &overrideDomain)
 	cfg.Bool("agreed", false, false, &agreed)
 	cfg.Enum("challenge", false, true,
 		[]string{"dns-01"}, "dns-01", &challenge)
@@ -107,7 +110,8 @@ func (l *Loader) Init(cfg *config.Map) error {
 			return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider")
 		}
 		mngr.DNS01Solver = &certmagic.DNS01Solver{
-			DNSProvider: provider,
+			DNSProvider:    provider,
+			OverrideDomain: overrideDomain,
 		}
 	default:
 		return fmt.Errorf("tls.loader.acme: challenge not supported")