Andrew Meyer

The acme-dns credentials don't need to be secret though, right? You're only allowing access to the API through localhost, so couldn't those credentials be part of the bootstrap data?

Yeah, it's a somewhat awkward solution but it should work. A config option in acme-dns to disable authentication might be cleaner.

You mean you hit Let's Encrypt's Failed Validation limit while using the autocert feature via the `tls = "letsencrypt"` config option? I like the idea of a config option, but...

Not sure if this counts as a separate client or not, but pfSense supports it via the ACME plugin's integration with ACME.sh: 

I disagree that this is security by obscurity. A sufficiently long random token in a URL path is comparably secure to a bearer token in a request header. [[1](https://security.stackexchange.com/q/118975/29865)][[2](https://security.stackexchange.com/q/89108/29865)] That...

FYI, this PR should also include changes to `docker-compose.yml` (at a minimum I believe the port mappings need to be updated).

Also, this fixes #79

Regarding communication, normally I'd suggest a major version bump as a way of denoting that the changes could break stuff. In this case though it doesn't seem like there are...

Pretty sure you _can_ use it in production, but if you do you're technically giving the owner of that domain the ability to issue certs for your website. This is...

Let's Encrypt is just a CA. They don't develop ACME clients or run servers for third-party tools. I don't know who runs auth.acme-dns.io. Probably @joohoi, I assume.