I have a domain that is hosted on Bluehost for my email with another hosting company handling www.domain.com for my web server (they do the web server development and host for me and also use lets encrypt to get a cert for that server).
My business has a single public static IP address that has an enterprise grade firewall on it. The firewall has the ability to run Acme to get its own certificate from letsencrypt which is quite useful for the firewall to continually update its own cert for remote access, VPN, etc.
I've been turning up additional services inside of the network that are internal use only but require the use of signed certs. I am interested in if Lets Encrypt can be of help here but am finding things rather confusing.
I know I can spin up an environment to generate a wildcard certificate for my domain with auto renewal using DNS challenge, but it seems that I would have to manually install the certs on all of the various servers (different OSs, etc.) and would have to manually do the install every 90 days which seems quite tedious and might make having a paid for cert more convenient.... or I have to go down the rabbit hole of finding automation tools, etc., to install the certs which seems like it wouldn't be worth my time for the money saved compared to buying a paid for annual expiration wildcard cert.
Am I missing something? Is this "easier" than it appears to use Lets Encrypt as a solution?
In the most common case, your internal servers would have their own ACME client installed just like your firewall does. They'd then take care of their own certs automatically. However being internal only devices, HTTP based challenges won't be able to reach them. So you'd need to be able to use DNS based validation instead. You would also technically be "leaking" your internal server names due to mandatory Certificate Transparency requirements which may or may not be acceptable to your organization.
There are some less common ways of doing this that might make more sense depending on your environment. But they're usually a bit more involved to setup and may require some custom scripting.
Particularly since you have non-web servers you're trying to obtain certs for, I like to mentally separate the act of obtaining the cert versus installing/distributing the cert. With DNS based validation, any machine on your internal network could theoretically obtain the certs on behalf of any other device. But then you would need to do some custom scripting in order to install or distribute those certs to the other devices. Even if the ACME client is on the same device as the non-web service, the client may or may not have the ability to install the cert for you. It will vary based on the ACME client you're using and the service you're installing the certificate for.
Thanks for the detailed response. This makes sense and was kind of where I was at mentally with this anyways.
Some of the internal devices do not run an OS where installation of the ACME client is possible (for example I have a couple of devices that run FortiOS versions where I would not have the ability to install or configure an ACME client).
So it seems for at least the internal piece, it might just be less painful to bite the bullet and do a paid for wildcard cert from Comodo or someone else.
If anyone has a good recommendation for a fairly easy to deal with and not expensive paid for cert option that would be helpful but I can also do that research on my own.
You might still consider using ACME over a paid cert solution if you have (or can get) programmatic access to your public DNS servers. BuyPass offers free ACME certs with a 180-day lifetime with the caveat that you can't get wildcards and only up to 5 SANs per cert. So if you were planning on doing manual installation of the certs anyway (which you would have to with a paid cert), you could still use a single server running an ACME client to obtain the certs for free from BuyPass using DNS validation and they'd just be sitting there waiting for someone to grab them and manually install on the devices.
So your choice is basically doing a manual install every 5'ish months for free or every 11'ish months at a per-cert cost.
The other option is to not use public certs for internal devices at all and instead use your own internal certificate authority which has the additional advantage that you can make the cert lifetimes whatever you want.
All good additional information. I don't believe running my own in-house CA is going to be an easy solution for me as it will be a bit of a pain to get all of the devices that need to recognize the services to know that the issuing CA is trusted.
Thanks again for the help. For the level of effort needed to do this with free for my environment I think a paid for certificate is probably going to be the better option.
Using a paid (wildcard) cert does still mean you will then manually deploy that cert to all the different services.
If you did want to look at automation you can generally achieve it with most ACME clients (Get the cert on one machine then use scripting to deploy to the other services). It can be complex but once you have a working script then you also have automated renewal and you don't have to worry as much about chasing expiration across multiple endpoints.
You can do a lot with things like PowerShell (e.g. using Posh- ACME as built by @rmbolger) or you can use a combination of techniques using something like https://certifytheweb.com (which I develop) because that has various Deployment Tasks you can use or you can get it to run you own scripts (even via SSH to remote hosts).
Thanks @webprofusion for the info. I'm aware that I would need to install the updated wildcard cert on my half dozen devices every year, that's not something that is particularly painful and takes just minutes.
This is an effort vs reward thing for me. I'm sure I could get it working, but I've already sunk hours into just trying to do recon on how this could be accomplished, and becoming aware of the pitfalls. Additional pitfalls are that my DNS provider who also does my hosting is not easy to work with for doing the DNS authentication method Lets Encrypt uses for wildcards. Moving DNS providers or hosting companies is yet another lift. I've basically talked myself out of it at this point but I'm sure someone who does this type of thing week in and week out would be able to implement a solution fairly easily.