A key decision in implementing this dns-01 acme authentication feature is whether or not to change the upstream tool used to obtain let's encrypt certificates (currently certbot).

The common upstream options available:

1. certbot - currently used in Vyos, main tool in the stable Debian repositories, written in python, with additional packages needed for dns-01 authentication to DNS providers - 10 available in the Debian repositories, and a total of 29 third party packages for additional DNS authentication (packages not available in the Debian repos)
2. acme.sh - not available in the Debian repositories, but is a shell script with the ability to upgrade itself with "acme.sh --upgrade". Supports 177 DNS providers for dns-01 authentication
3. lego - available in the stable Debian repositories, written in go so compiles into a single binary, with built-in support for dns-01 authentication to 151 DNS providers

Given lego has the most DNS providers supported by packages already available in the Debian stable repos, I feel it may be the best option to adopt in Vyos.

Is there interest from the Vyos team in considering a switch from certbot to lego? Question most likely directed to @c-po and @natali-rs1985, as the regular committers to the Vyos pki acme source code

The version of lego in the Debian repositories is very old, and this will likely mean it is broken for various DNS providers since things change rapidly out there on the Internet. As an example, Porkbun DNS provider has recently changed the URL for their DNS API, which has been updated in the newest LEGO, but the old version in the debian repos no longer works for Porkbun. I believe updating LEGO in the debian repos is hard due to needing to bring each go dependency into the repos also - which means the LEGO version is even old in the debian unstable repos.

I notice that acme.sh is included in Debian testing repos, is up to date, and more easily updated in the repos in the future since it’s a simple shell script - so perhaps it’s best to use acme.sh.