Hacker News new | past | comments | ask | show | jobs | submit login

Instead of fetching the secret via a direct HTTP call, the secret is fetched from the DNS server (eg. _acme-challenge.example.com.) - where the DNS server is usually separate from the server getting the cert. This can be done with ACMEv1 for certs, and now is required for the new wildcard certs.

Most clients that support DNS-01 can use nsupdate or APIs of public DNS providers to make this an automated process.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact