Would like to have TLS LE wildcard certificates.
This is done with dns-01 challnge.
So the process need to create and destroy the txt record with the token.
From this options do not know what is the minimum I need to allow for dns-01 to work?
The wording is bit ambiguous - but so far expecting the create and delete should do it? As both action are needed for the challenge.
If rest is unchanged, it will give me a token with no expiration?
(The challenge does work with create/delete.)
“Create domains” and “delete domains” refers to adding new domains to your account and removing them. In order to add and remove records for existing domains the token does not need these permissions.
If you want to further limit what your token can do (i.e. which record types, subnames and domains it can manage), you can use deSEC’s fine-grained token policies. As far as I know the web UI can not yet display or manage them, so you’d need to use a different client.
Your assumption about not setting expiration values is correct. Your token will stay valid until you manually remove it from your account.
Right, so removing in Web client the option for create/delete domain will retain the key ability to deal with challenge?
Like this:
Is there a client that can be recommended for API access so can set up more scoped policy?
Yes, exactly.
I use this one:
It does support token policies but it’s a CLI tool that won’t hold your hand and assumes some familiarity with the API. Token policies are not the most intuitive feature of deSEC, unfortunately.
Try it out to see if it works for you.
Not sure if there are other clients that support token policies. You could check the ones linked here (I don’t have personal experience with any of them):
