Hacker News new | past | comments | ask | show | jobs | submit login

For the standard LE certs, you need a public facing web server for the domain name in question, and LE give you a keyfile to put into:

'/.well-known/pki-validation'

For the wildcard certs, you just need to add a TXT record to the public DNS entry, no public web server required.

Even if you have no intention of using your internal DNS domain name on the internet, it's good practice to register it anyway.




Is there a "standard" TLD for internal use that will also fit this requirement?

The problem here is that there's no such thing as domain ownership, only domain renting. You forget to pay your bill (read: someone loses an email) and a core part of your infrastructure is up in smoke, or worse, taken over by a squatter.


Of course not. If there was a domain reserved for internal use and everyone could get a cert for it, everyone would be able to impersonate your internal hosts.

I don't think there's a way around coming up with a reliable process for renewing your domain. You somehow manage to do it for lots of other things already.


Some years ago, at least one of the popular CAs used to issue certs for RFC1918 IP addresses. Fun times.


It makes no sense to have publicly trusted certificates for names that have no defined legitimate meaning - what is being certified? Nothing. Accordingly no public CA is permitted to issue such certs.


You can use a dns challenge for v1 "regular" certs - there's no requirement for a web server, in order to use let's encrypt.

See eg point 4: 0https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: