Newbie Questions about how it all works

I have a number of questions, having read the techincal overview about things I don’t understand.

  1. The technical overview says the LE decide which mechanism to use to validate I “own” the domain I am asking a certificate for. However, all the user guides I’ve read for the client software implies that how I run that software chooses the validation mechanism. I am administrator for a two domains where I control the software on the host, but I have to ask someone else to change the DNS if I need it doing (which has only happened when I changed my virtual machine I run these domains on). So I can easily meet the webroot requirements, but it would be quite difficult to meet

  2. I am in the early phases of developing a Single Page Application which ultimately will run on the internal network of a fairly small company that at the moment uses a “companyname.local” domain internally. Does such a domain name totally preclude it being used with LE?

3 An alternative that might work (with some political difficulty) is to create some sub domains of a domain name I own. Particularly as I try things out, and especially http/2. I could temporarily expose said domain names on a staging server and get past the initial validation phase and obtain the first certificate, and then redirect them to the internal (192.168.x.x ip addresses). Once I have had a subdomain validated, can I automate certificate renewal without re-exposing these subdomain names to the outside internet again? (The technology overview seem to imply that validating that I control the domain of was a one time process, and that subsequent renew didn’t require re-exposure, but it didn’t explain how I can then go about renewing automatically). (Other posts suggest split DNS and indeed that is certainly possible where I am doing this development - at home - which has a has a small raspberry pi running dnsmasq as my internal domain name server, not sure if it would work in this small company).

There are a couple of things relevant here.

  1. Currently, Let’s Encrypt supports http-01 and tls-sni-01 verification. Both methods require access to either port 80 or 443 to the exact domain you’re trying to get a certificate for. Once you passed a challenge, I believe the authorization you get for your domain is valid for 10 months, i.e. you could get certificates for up to 13 months. As far as I know the client doesn’t yet make use of this, and requests a new challenge/authorization every time it runs.
  2. In the future (hopefully soon!), Let’s Encrypt will also support the dns-01 challenge. With this option, you don’t need to expose your service to the outside - it’s enough to change some DNS records. This is probably the easiest option for intranet sites where you need an external CA. This won’t work for domains like .local - Baseline Requirements force Let’s Encrypt to only issue certificates for ICANN domains (those found on the public suffix list).
  3. Probably even further in the future, Let’s Encrypt might implement proof of possession challenges. It has not been decided in which cases this will be necessary, it might be opt-in for domain owners, or only necessary for high-profile site. The way it works is that you need to sign something using a private key that’s been used for TLS on your domain before. But don’t worry about this yet until all the details are settled.