Knowing how LE works I believe the answer to my question is no, but is there any way to obtain a cert for a local URI? (i.e. https://localhost or https://192.168.1.6) There is no way for the LE cert server to verify ownership of the “domain” since the addresses are not routable to the public Internet so I doubt this can be done, but now that Google is enforcing https for oAuth2 I need to run a local server to receive the redirect and since that server needs to be encrypted I need a cert for it. I can generate a self-signed one for the task, but then my users will need to add an exception for the untrusted certificate, which many will not know how to do.
Publicly-trusted CAs are forbidden from issuing certificates for so-called internal server names like localhost or private/reserved IP addresses. Basically, the domain needs to end in a public suffix.
It is not strictly necessary for the domain to have a running HTTP or HTTPS server that’s reachable from the public internet thanks to the dns-01 challenge. Depending on your use-case, you could implement something similar to what Plex did to deploy HTTPS, using a domain you actually own and with per-user subdomains resolving to 127.0.0.1. acme-dns might be a good starting point for such a service.
Depending on your environment (especially on which operating systems and browsers your users use), you might also consider adding the certificates to your OS or browser trust store as part of the installation process. Care would have to be taken with regards to where and how the key is generated and stored to avoid something like Superfish.
Thanks for your quick response. I suspected that was the case. My use case is a BlackBerry 10 Native app which uses oAuth2 to authorize URL shortening with Bit.ly or goo.gl. Up till BlackBerry 10.3.2 the BlackBerry 10 browser ignored the “Strict-Transport-Security” HTTP header, so the oAuth2 redirect can be to an unencrypted server (a Qt QTcpServer instance), even for goo.gl, which sends the strict header (Bit.ly does not). With the release of the 10.3.3 OS though that header is now respected and the redirect must be to an encrypted listener for goo.gl (QTcpServer doesn’t do SSL so I will need to code my own SSL extension for it).
Luckily from OS 10.3 onward installing certs is fairly easy programatically, so yes, I could ask the user to authorize the self-signed cert. Not perfectly clean, but manageable. Thanks for your help.