As many organizations do, most of our servers are internal. (For reference, we have about 80 servers, and only 3 are public-facing.)
We are using Let’s Encrypt for our public-facing servers, and we really like it.
However, we would like to do the same with our internal servers. I know that DNS validation can be used to obtain a wildcard certificate, but the issue is that we are a state-government agency, which means that we control only our internal DNS; our public DNS is controlled by a parent state-government agency. For example, I can make sub.example.com myself, but the second I want that to propagate to the outside world, I have to put in a request to the parent agency. The parent agency will do it with no questions asked, but the issue is that it’s a manual process.
Obviously, I am not going to go through this process every 90 days to renew our Let’s Encrypt certificate.
In the future, can wildcards be validated via HTTP? When we validate a single server via HTTP validation, why is that not sufficient to validate all of its subdomains, too? To my knowledge, if you control example.com, you ultimately also control sub.example.com as well. (I understand that you can “sub-lease” subdomains to other tenants, but that’s the domain owner’s prerogative and, in my opinion, not anything Let’s Encrypt should be concerned about.)
What’s the technical or practical limitation of HTTP validation for an entire domain and its subdomains?