←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 2 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source
Show context
pgroves ◴[05 Jan 22 17:10 UTC] No.29811701[source]
Another nuisance is that unencrypted port 80 must be open to the outside world to do the acme negotiation (LE servers must be able to talk to your acme client running at the subdomain that wants a cert). They also intentionally don't publish a list of IPs that LetsEncrypt might be coming from [1]. So opening firewall ports on machines that are specifically internal hosts has to be a part of any renewal scripts that run every X days. Kinda sucks IMO.

[1]https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...

UPDATE: Apparently there is a DNS based solution that I wasn't aware of.

replies(5): >>29811721 #>>29811728 #>>29811735 #>>29811740 #>>29811761 #
1. wielebny ◴[05 Jan 22 17:12 UTC] No.29811728[source]
That's not true. You can validate domains using dns-01, without exposing hosts.
replies(1): >>29811773 #
2. detaro ◴[05 Jan 22 17:15 UTC] No.29811773[source]
and even with HTTP challenge you don't have to expose the host directly, but e.g. can copy the challenge response to a public webserver from the internal host or from a coordinator server.