ACME v2 / DNS-01 for non-public facing sites?


With this DNS TXT challenge, is it feasible to support LAN/WAN hosts which are not public facing (for instance contoso.plc)?

ACME v2 and Wildcard Certificate Support is Live

As long as you own the public domain, yes.


And as long as you’re requesting certificates for publicly resolvable names. E.g. is good, www.example.local is not.


You can certainly use ACMEv2 and DNS-01 for internal-only sites, but you’ll have to run your own ACME server. You can’t use Let’s Encrypt for anything but public; but that’s OK, because internal use generally means you have your own PKI and root certs to sign with instead.

LE’s ACME server is


That depends on whether you’re talking about internal domains or internal hosts. You can most definitely use ACMEv2 (or even ACMEv1) with DNS-01 to issue certificates from the Let’s Encrypt service for hosts that aren’t accessible from the outside, as long as they’re using public domain names–just as @jared.m said. I’m doing this very thing on my network for a number of hosts, and there’s no reason at all to run your own ACME server in that case.