I run acme.sh in a FreeBSD jail (acme-client). It writes files that are picked up by another jail (acme-dns) that runs nsd. This jail is NOT one of my main authoritative name servers. It only runs _acme.mydomain.tld containing records like:
_acme-challenge.test IN TXT XXXXXXXXXXXXXXX
_acme-challenge.test NS acme-dns.mydomain.tld.
All this gets me the following benefits:
a) Everything runs restricted by jails that only run for about 10 seconds when issuing or renewing certificates.
b) No need for the service to be publicly accessible. (no issues with firewalls, no need for public IP's)
c) No need for the service to be some kind of web-server (think smtp, imap, irc, xmpp, etc.)
d) The service does not need a public "A" record.
e) No risk of me or the script messing up any live/production configuration.
f) The only thing that needs to accept inbound connections is the "acme-dns" jail on port 53 for about 10 seconds when it is running.
There are still some things I need to find a good solution for. Like easier distribution of certs, keys, etc.
I also want to generate the private keys elsewhere and only give the CSR's to the acme-client jail. (If this is possible with ACME. I think it is.)
This setup is not yet complete and I am still experimenting, but it seems to work well.
BTW: Remember to use letsencrypt-staging for testing.
Also, have a look at:
It was this that inspired me in the first place. I just added the separate subdomain and separate nameserver concept.