Merge pull request #5031 from Infisical/PKI-80-add-acme-skip-dns-validation-option-doc

docs: add acme skip dns validation option doc
2026-01-09 15:38:03 -05:00 · 2025-12-11 20:33:24 -08:00
parent f50a0ca838 15d0b2715e
commit 05ad73756a
3 changed files with 12 additions and 1 deletions
--- a/docs/documentation/platform/pki/enrollment-methods/acme.mdx
+++ b/docs/documentation/platform/pki/enrollment-methods/acme.mdx
@@ -26,6 +26,17 @@ In the following steps, we explore how to issue a X.509 certificate using the AC

    ![pki acme config](/images/platform/pki/enrollment-methods/acme/acme-config.png)

+    <Note>
+
+    By default, when the ACME client requests a certificate against the certificate profile for a particular domain, Infisical will verify domain ownership using the [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) method prior to issuing a certificate back to the client.
+
+    If you want Infisical to skip domain ownership validation entirely, you can enable the **Skip DNS Ownership Validation** checkbox.
+
+    Note that skipping domain ownership validation for the ACME enrollment method is **not the same** as skipping validation for an [External ACME CA integration](/documentation/platform/pki/ca/acme-ca).
+
+    When using the ACME enrollment, the domain ownership check occurring between the ACME client and Infisical can be skipped. In contrast, External ACME CA integrations always require domain ownership validation, as Infisical must complete a DNS-01 challenge with the upstream ACME-compatible CA.
+    </Note>
+
  </Step>
  <Step title="Obtain the ACME configuration">
    Once you've created the certificate profile, you can obtain its ACME configuration details by clicking the **Reveal ACME EAB** option on the profile.
--- a/docs/documentation/platform/pki/k8s-cert-manager.mdx
+++ b/docs/documentation/platform/pki/k8s-cert-manager.mdx
@@ -139,7 +139,7 @@ The following steps show how to install cert-manager (using `kubectl`) and obtai
    ```

    <Note>
-        - Currently, the Infisical ACME server only supports the HTTP-01 challenge and requires successful challenge completion before issuing certificates. Support for optional challenges and DNS-01 is planned for a future release.
+        - Currently, the [ACME enrollment method](/documentation/platform/pki/enrollment-methods/acme) only supports the [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) method. Support for the [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method is planned for a future release. If domain ownership validation is not desired, you can disable it by enabling the **Skip DNS ownership validation** option in your ACME certificate profile configuration.
        - An `Issuer` is namespace-scoped. Certificates can only be issued using an `Issuer` that exists in the same namespace as the `Certificate` resource.
        - If you need to issue certificates across multiple namespaces with a single resource, create a `ClusterIssuer` instead. The configuration is identical except `kind: ClusterIssuer` and no `metadata.namespace`.
        - More details: https://cert-manager.io/docs/configuration/acme/
--- a/docs/images/platform/pki/enrollment-methods/acme/acme-config.png
+++ b/docs/images/platform/pki/enrollment-methods/acme/acme-config.png