Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)

238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source

Show context

pgroves ◴[05 Jan 22 17:10 UTC] No.29811701[source]▶

Another nuisance is that unencrypted port 80 must be open to the outside world to do the acme negotiation (LE servers must be able to talk to your acme client running at the subdomain that wants a cert). They also intentionally don't publish a list of IPs that LetsEncrypt might be coming from [1]. So opening firewall ports on machines that are specifically internal hosts has to be a part of any renewal scripts that run every X days. Kinda sucks IMO.

[1]https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...

UPDATE: Apparently there is a DNS based solution that I wasn't aware of.

replies(5): >>29811721 #>>29811728 #>>29811735 #>>29811740 #>>29811761 #

duskwuff ◴[05 Jan 22 17:12 UTC] No.29811721[source]▶

>>29811701 #

Only true if you're using HTTP validation. Use DNS validation instead and this isn't an issue.

replies(1): >>29811863 #

1. pgroves ◴[05 Jan 22 17:21 UTC] No.29811863[source]▶

>>29811721 #

Fair enough. Although that seems rather complicated for those of us just trying to get a quick cert for an internal host. The LetsEncrypt forums are full of this discussion:

[1] https://community.letsencrypt.org/t/whitelisting-le-ip-addre... [2] https://community.letsencrypt.org/t/whitelist-hostnames-for-... [3]https://community.letsencrypt.org/t/letsencrypt-ip-addresses...

↑