The previous discussions in the ACME working group apparently concluded that we can’t safely do a file-content-based challenge on port 443 in terms of the practices of hosting providers. In a way, this is an earlier version of the concern that we’re now facing with TLS-SNI-01. I’m not sure that Let’s Encrypt will be able to resume using any validation method that begins with a connection on port 443.
Thanks to @_az for the suggestion; I hadn’t seen that CA before.
I think a key challenge that all domain validation will eventually face is the challenge in the OP’s comment:
It’s hard to imagine the server at :443 is legitimate if the party running it can not achieve, via working with coworkers / vendors / etc to get delegation of a DNS CNAME record for acme challenges. Or to get the firewall admin to open port 80 for ACME challenges.
Unfortunately, this is in tension with some efforts by the CA industry to give management—in the form of network administrators representing domain owners—more control over the ability to issue certificates. "We don't want to have to ask the domain owner before getting a certificate" isn't a case that the industry is very friendly to, even though in your case your intentions are entirely non-malicious.
I agree. While I understand the user’s dilemma and sympathize, there is a good case to be made that, in fact, such a certificate should not issue. If there’s hesitation to seek the active permission of the domain holder, this suggests against issuance.
For this use-case, you could probably just buy a domain ($10 a year or less) specifically for this, or probably use custom signed certificates. I doubt your IT department locked down the 443 traffic to connections for accepted domains (which is sort of possible, but a huge pain to implement). I am certain your manager would approve this expense.
An idea which I offer that might help in your particular situation, rather than because I think it’s a good idea per se.
If normal Internet DNS works from your workplace, you could arrange to create a name for the service in a domain the employer doesn’t own, either a “free” domain like no-ip (not an endorsement) or your own. You would control DNS for this name (and thus pass dns-01) and you would control the service in fact so you could install the certificate. You and colleagues would use this new name for the service and the cert would check out as OK. Using dns-01 this way Let’s Encrypt won’t even care if the service becomes entirely inaccessible from the Internet.