Hi,
I got a use case that I had a administrator AWS account and servals developer account.
For security purpose, I can't allow developers access the administrator account.
And, I also had a Hosted Zone in administrator account(Main domain), sub domains were hosted on per develop account.
When I use acmesmith to request changing RRset, I got an error.
like:
{"type"=>"urn:ietf:params:acme:error:dns", "detail"=>"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.develop.example.com - check that a DNS record exists for this domain", "status"=>400}
Anyway, I figure out what happened.
The SOA record hosted on developer account's Hosted Zone(develop.example.com).
But, I used administrator account's credential to access AWS.
So, acmesmith can't upset a RRset for developer account's Hosted Zone(develop.example.com).
P.S. I got servals developer account, but a unified ssl certificate request platform(base on acmesmith lib)
So, I modify some code and created a pr.
It worked pretty good in my case.
Thank you very much with your acmesmith.