alt Hacker NewsIt is my understanding that DNS challenges are discouraged and/or being deprecated due to the challenge results being less trustworthy than more stringent verification methods. There is also the operational overhead that arises as SSL certificate lifetimes shorten; It is my understanding that there is now a case being made for SSL certificate lifetimes shorter than 24 hours.
I don’t know about the DNS challenge being discouraged, do you have something to read up on that? As far as I know it’s the only common way to get a wildcard cert.
And also the lifetime isn’t a problem in the setup I described, the internal server that uses the cert can do the dns challenge so it can get a new cert whenever it wants. It only needs to be able to access the DNS api.