ACME v2 / DNS-01 for non-public facing sites?


#1

With this DNS TXT challenge, is it feasible to support LAN/WAN hosts which are not public facing (for instance contoso.plc)?


ACME v2 and Wildcard Certificate Support is Live
#2

As long as you own the public domain, yes.


#3

And as long as you’re requesting certificates for publicly resolvable names. E.g. www.example.com is good, www.example.local is not.


#4

You can certainly use ACMEv2 and DNS-01 for internal-only sites, but you’ll have to run your own ACME server. You can’t use Let’s Encrypt for anything but public; but that’s OK, because internal use generally means you have your own PKI and root certs to sign with instead.

LE’s ACME server is https://github.com/letsencrypt/boulder


#5

That depends on whether you’re talking about internal domains or internal hosts. You can most definitely use ACMEv2 (or even ACMEv1) with DNS-01 to issue certificates from the Let’s Encrypt service for hosts that aren’t accessible from the outside, as long as they’re using public domain names–just as @jared.m said. I’m doing this very thing on my network for a number of hosts, and there’s no reason at all to run your own ACME server in that case.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.