Say I own domain.com. I know I can use Let’s Encrypt for subdomain.domain.com provided I’ve configured everything correctly.
If my internal network uses (for example) int.domain.com and host FQDNs are similar to server01.int.domain.com, will Let’s Encrypt issue a cert for server01? Or will it break because it’s a sub-subdomain?
Or am I better off simply buying similar-ish-shortdomain.com and using that instead for internal-only HTTPS requirements?
You can get a certificate for any name that you want, but you’ll have to perform the validation process individually for each name. Your proof of control over int.domain.com doesn’t automatically let you issue for server01.int.domain.com, but if you can prove control over the latter, you can issue for it with no problems.
Understood. Most free/cheap certificate providers choke when we get down to the nuts and bolts of using them on our domains because we’re a sub-organisation of a larger organisation and our FQDNs for internal hosts are unusually deep.
Combined with validation via the DNS TXT record method, that makes life a lot easier for us.
One thing you might need to watch out for is the length of the names themselves. Somebody many years ago decided the Common Name in a certificate subject would never need to be more than 64 characters. This wouldn’t be a problem except that for compatibility with software of pensionable age the Common Name is always one of the FQDNs your certificate is issued for.
If even one FQDN in the certificate is short enough, Let’s Encrypt can figure out how to issue. But if they’re all too long it gives up. So a.sub.sub.domain.example is fine but if the names are all like geraldine-simpson.my-internal-network.the-royal-company-of-haberdashers-and-cartoonists.example then you might be out of luck. There is a long term plan to fix this, but it won’t work with such names today
I believe @jsha is involved in eliminating this by providing an option for omitting CN and using only the certificate serial number. I don't believe this feature is available yet, but I believe it's under development.
Oh, and one more caveat, if you’re sub.example.com then example.com can set a CAA record saying they only want certain CAs to issue any certificates for names in example.com. Let’s Encrypt will obey this instruction, if they’re not on the list they’ll refuse to issue for such names & the only way to undo it is to ask whoever manages the example.com DNS to change the CAA record.
These records are pretty rare today, but it’s just another thing that could matter, especially if the larger domain isn’t very cooperative or agile.