With this DNS TXT challenge, is it feasible to support LAN/WAN hosts which are not public facing (for instance contoso.plc)?
As long as you own the public domain, yes.
And as long as you’re requesting certificates for publicly resolvable names. E.g. www.example.com
is good, www.example.local
is not.
You can certainly use ACMEv2 and DNS-01 for internal-only sites, but you’ll have to run your own ACME server. You can’t use Let’s Encrypt for anything but public; but that’s OK, because internal use generally means you have your own PKI and root certs to sign with instead.
LE’s ACME server is https://github.com/letsencrypt/boulder
That depends on whether you're talking about internal domains or internal hosts. You can most definitely use ACMEv2 (or even ACMEv1) with DNS-01 to issue certificates from the Let's Encrypt service for hosts that aren't accessible from the outside, as long as they're using public domain names--just as @jared.m said. I'm doing this very thing on my network for a number of hosts, and there's no reason at all to run your own ACME server in that case.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.