Can DNS be used alongside ALPN?

[anderspitman]

What is your question?

In the docs for the DNS challenge, it says enabling DNS disables the other challenges. I have an interactive application that needs to get certs in real time. The on-demand functionality is currently working pretty well for that. However, it's still relatively slow when getting certs for new subdomains compared to a wildcard cert which can handle any number of new subdomains instantly. That's also better for privacy since specific subdomains aren't going into the transparency logs.

So I want to switch to DNS. However, I'm concerned that the propagation delay might cause some ACME requests to fail. What I'd really like is to attempt DNS, then if it fails switch to on-demand for that specific subdomain, and continue trying DNS in the background until it's successful, then switch off on-demand.

Is there currently a way to do this? If not, would I be able to accomplish it in my code?

[mholt]

You could probably do this yourself, but it's very odd indeed. You'd probably have to fiddle with a config/setup that works, unfortunately I don't have the time for that right now. What would you do if you get a cert for a subdomain -- just stop trying to get a wildcard cert?

Can you elaborate more on this:

However, it's still relatively slow when getting certs for new subdomains

[anderspitman]

What would you do if you get a cert for a subdomain -- just stop trying to get a wildcard cert?
No, I'd want to switch to using the wildcard cert ideally.

Can you elaborate more on this:

However, it's still relatively slow when getting certs for new subdomains

Some more context might clarify things a bit. I'm building a tunnel service, a la ngrok or Cloudflare Tunnel. This is something of an ongoing interest of mine0. My service will hand out subdomains on wg8.org, so for example I could claim anders.wg8.org.

Once that control has been delegated, I'll want to manage the certs myself on the client side in order to get e2ee. I'll also want to run a number of apps, such as jellyfin.anders.wg8.org, nextcloud.anders.wg8.org, etc. When using on-demand certs, the first visit to each domain takes about 2-5 seconds before the cert is acquired. If I used dns-01 immediately after gaining control of anders.wg8.org, those would all be instantaneous. I could also use ManageAsync after the user sets up the subdomain for a given app, but typically the first thing they want to do is immediately open/be redirected to the app so that might not improve things much.

There are also rate limiting concerns here. I'm planning to get wg8.org added to the public suffix list, but until that's done I'm concerned we'll be hitting Let's Encrypt rate limits much sooner.

[mholt]

So to make sure I understand, the primary concern is that your first connection is going to take a couple of seconds?

(Sorry for the late reply. Busy times!)

[anderspitman]

No worries! I would say concern is equality distributed between the couple seconds it takes, but also that the time it takes is fairly variable. Sometimes Let's Encrypt is slow.

[mholt]

@anderspitman Instead of PSL, have you considered filing a rate limit exemption request with Let's Encrypt? They have a form for use cases like yours.