diff --git a/docs/reference/tls-acme.md b/docs/reference/tls-acme.md
index 891795ec..3dc803a5 100644
--- a/docs/reference/tls-acme.md
+++ b/docs/reference/tls-acme.md
@@ -20,7 +20,13 @@ smtp tcp://127.0.0.1:25 {
You can also use a global `tls` directive to use automatically
obtained certificates for all endpoints:
```
-tls &local_tls
+tls {
+ loader acme {
+ email maddy-acme@example.org
+ agreed
+ challenge dns-01
+ }
+}
```
Currently the only supported challenge is dns-01 one therefore
@@ -87,6 +93,15 @@ back to the one configured via 'ca' option.
This avoids rate limit issues with production CA.
+**Syntax:** override\_domain _domain_
+**Default:** not set
+
+Override the domain to set the TXT record on for DNS-01 challenge.
+This is to delegate the challenge to a different domain.
+
+See https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation
+for explanation why this might be useful.
+
**Syntax:** email _str_
**Default:** not set
diff --git a/internal/tls/acme/acme.go b/internal/tls/acme/acme.go
index 96c4a0f7..70eb05b8 100644
--- a/internal/tls/acme/acme.go
+++ b/internal/tls/acme/acme.go
@@ -39,15 +39,16 @@ func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
func (l *Loader) Init(cfg *config.Map) error {
var (
- hostname string
- extraNames []string
- storePath string
- caPath string
- testCAPath string
- email string
- agreed bool
- challenge string
- provider certmagic.ACMEDNSProvider
+ hostname string
+ extraNames []string
+ storePath string
+ caPath string
+ testCAPath string
+ email string
+ agreed bool
+ challenge string
+ overrideDomain string
+ provider certmagic.ACMEDNSProvider
)
cfg.Bool("debug", true, false, &l.log.Debug)
cfg.String("hostname", true, true, "", &hostname)
@@ -60,6 +61,8 @@ func (l *Loader) Init(cfg *config.Map) error {
certmagic.LetsEncryptStagingCA, &testCAPath)
cfg.String("email", false, false,
"", &email)
+ cfg.String("override_domain", false, false,
+ "", &overrideDomain)
cfg.Bool("agreed", false, false, &agreed)
cfg.Enum("challenge", false, true,
[]string{"dns-01"}, "dns-01", &challenge)
@@ -107,7 +110,8 @@ func (l *Loader) Init(cfg *config.Map) error {
return fmt.Errorf("tls.loader.acme: dns-01 challenge requires a configured DNS provider")
}
mngr.DNS01Solver = &certmagic.DNS01Solver{
- DNSProvider: provider,
+ DNSProvider: provider,
+ OverrideDomain: overrideDomain,
}
default:
return fmt.Errorf("tls.loader.acme: challenge not supported")