From 89c1db58f9c5f4db177c11d3457c13c752bf73f0 Mon Sep 17 00:00:00 2001
From: Marcel Waldvogel <marcel.waldvogel@uni-konstanz.de>
Date: Wed, 19 Jul 2017 17:40:37 +0200
Subject: [PATCH] Support CNAME certificate creation delegation

---
 dnsapi/README.md       | 28 ++++++++++++++++++++++++++++
 dnsapi/dns_nsupdate.sh |  9 +++++----
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/dnsapi/README.md b/dnsapi/README.md
index a74e0404..8547682a 100644
--- a/dnsapi/README.md
+++ b/dnsapi/README.md
@@ -154,6 +154,34 @@ acme.sh --issue --dns dns_nsupdate -d example.com -d www.example.com
 
 The `NSUPDATE_SERVER` and `NSUPDATE_KEY` settings will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
 
+### 7a. Create a delegated certificate with `dns_nsupdate`
+
+If the certificate requestor does not have real-time write access to the
+domain name the certificate is for (`example.com` and `www.example.com`),
+but to another domain (`example.net`), it is possible to delegate the
+certificate request rights ahead of time by creating a as follows:
+
+```DNS Zone
+_acme-challenge.example.com.     60 CNAME _acme-challenge.example.org.rq.example.net.
+_acme-challenge.www.example.com. 60 CNAME _acme-challenge.www.example.org.rq.example.net.
+```
+
+1. The TTL of 60 seconds is a courtesy to the caching domain name servers
+   so that they can free the space in their caches quickly.
+1. The choice of `rq.example.net` as the subdomain is arbitrary; anything
+   below `example.net` (including `example.net` itself) is fine.
+
+To issue the certificate with write access to `rq.example.net`, use
+
+```sh
+env NSUPDATE_SUFFIX=.rq.example.net \
+  acme.sh --issue --dns dns_nsupdate -d example.com -d  www.example.com
+```
+
+(The value of `NSUPDATE_SUFFIX` is stored in the per-domain settings,
+for reuse in renewals. Unlike `NSUPDATE_SERVER` and `NSUPDATE_KEY`,
+this is not a global setting, as it is useful for delegated domains only.)
+
 
 ## 8. Use LuaDNS domain API
 
diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh
index 4dcbcded..f77a4fd1 100755
--- a/dnsapi/dns_nsupdate.sh
+++ b/dnsapi/dns_nsupdate.sh
@@ -10,10 +10,11 @@ dns_nsupdate_add() {
   # save the dns server and key to the account conf file.
   _saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
   _saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
-  _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
+  _savedomainconf NSUPDATE_SUFFIX "${NSUPDATE_SUFFIX}"
+  _info "adding ${fulldomain}${NSUPDATE_SUFFIX}. 60 in txt \"${txtvalue}\""
   nsupdate -k "${NSUPDATE_KEY}" <<EOF
 server ${NSUPDATE_SERVER}
-update add ${fulldomain}. 60 in txt "${txtvalue}"
+update add ${fulldomain}${NSUPDATE_SUFFIX}. 60 in txt "${txtvalue}"
 send
 EOF
   if [ $? -ne 0 ]; then
@@ -28,10 +29,10 @@ EOF
 dns_nsupdate_rm() {
   fulldomain=$1
   _checkKeyFile || return 1
-  _info "removing ${fulldomain}. txt"
+  _info "removing ${fulldomain}${NSUPDATE_SUFFIX}. txt"
   nsupdate -k "${NSUPDATE_KEY}" <<EOF
 server ${NSUPDATE_SERVER}
-update delete ${fulldomain}. txt
+update delete ${fulldomain}${NSUPDATE_SUFFIX}. txt
 send
 EOF
   if [ $? -ne 0 ]; then