Revenir au blog

Follow and Subscribe

Disponible uniquement en anglais

Cette page n'est actuellement disponible qu'en anglais. Nous nous excusons pour la gêne occasionnée, merci de revenir sur cette page ultérieurement.

A Smarter ACME Challenge for a Multi-CDN World

Shiloh Heurich

Staff Security Engineer, Fastly

CDN et distributionEngineeringPerformancesProduit

At Fastly, we're obsessed with security and performance. That's why we're excited to announce that Certainly, our cutting-edge Certification Authority (CA) now supports the dns-account-01 ACME challenge type. This new challenge type, which we've implemented in the open-source Boulder software we run, is a game-changer for anyone using multiple CAs with a multi-CDN setup. It eliminates the frustrating _acme-challenge label collisions that many of our customers have experienced.

The Problem with dns-01

The dns-01 challenge is a popular method for proving control over a domain name to obtain a TLS certificate. The process is simple: a CA provides a unique token, and you place that token in a DNS TXT record at _acme-challenge.yourdomain.com. When the CA sees the correct token, it issues the certificate.

While the process is simple, it must be automated to handle frequent certificate renewals. The standard way to automate dns-01 is to delegate control of the _acme-challenge subdomain to your provider using a CNAME record. For example, you would point _acme-challenge.yourdomain.com to a validation domain managed by your provider. They can then create and remove the necessary TXT records on your behalf.

Here’s the problem: a DNS name can only point to a single CNAME target. If you use two different providers that both need to automate dns-01 validation, you can't delegate _acme-challenge.yourdomain.com to both of them. You are forced to choose one, which breaks seamless, automated certificate management across multiple platforms.

Introducing dns-account-01

The dns-account-01 challenge is a new ACME challenge type that solves this problem. It was designed specifically for multi-CDN and multi-cloud environments, where multiple independent systems need to obtain certificates for the same domain name.

The key innovation of dns-account-01 is that it uses a unique label for each ACME account. Instead of creating a TXT record at _acme-challenge.yourdomain.com, you'll create it at a location that looks like this:

_<unique-id>._acme-challenge.yourdomain.com

This <unique-id> is derived from the ACME account URL. Since the ACME account is unique for each CA you use, this identifier provides a distinct validation path for every provider. This means each CA has its own dedicated place to look for the validation TXT record, so there are no more collisions.

This small change is a big deal for automation. By giving each provider a unique, stable place to perform validation, dns-account-01 removes the manual workarounds and compromises that multi-provider setups otherwise require. This makes certificate management an automated, background process once again, allowing different systems to manage certificates for the same domain without interfering with one another.

Why This Matters for Fastly Customers

At Fastly, we're committed to providing our customers with the most secure, reliable, and developer-friendly certificate issuance service on the market. With Fastly TLS, we manage the entire lifecycle of your certificates, from procurement to renewal. By implementing dns-account-01, we're making our managed TLS offering even more robust and seamless.

Here are some of the benefits for our customers:

  • Seamless multi-CA support: Use Certainly alongside any other ACME certificate authority without conflicts. The Fastly TLS platform manages all underlying processes and this challenge type is compatible even when other CAs are limited to the traditional dns-01 challenge.

  • Improved reliability: Easily implement a multi-CA strategy by using Certainly alongside another CA as a fully automated backup. This provides redundancy, ensuring you can always issue certificates even if one provider has an outage.

  • Greater flexibility: dns-account-01 gives you more flexibility in how you manage your certificates and your infrastructure, without adding any operational overhead for your team.

Get Started Today

To enable this powerful new feature, please contact our support team to have it activated for your account. Once enabled, all Certainly certificates on your account will use the dns-account-01 challenge type for validation. You will need to make a one-time change to your DNS configuration. Our support team will provide the necessary details for you to add a new CNAME record that delegates the unique challenge subdomain to Fastly.

This is an account-wide setting for now, but we will be adding support to enable this on a per-domain basis in the near future. This simple setup unlocks seamless, collision-free certificate management in even the most complex multi-CDN environments.

If you're new to Fastly and you’d like to learn more about how dns-account-01 can simplify certificate management in your multi-CDN setup, we’d love to hear from you. Contact our team of experts to get started.

We're excited to see how our customers will use this new feature to build more resilient and secure applications. As always, we welcome your feedback and suggestions.

© Fastly 2025