Let's Encrypt can generate certificates for your.domain. your.domain can in turn resolve to localhost. I've been using Let's Encrypt for websites behind a VPN for several years.
Yes, of course, and that might make sense in a production setting. Those certificates expire after 90 days though, do you really want to have to edit your dns records every 90 days? To run something locally?
In that case you’re using either HTTP or TLS verification, which only works if you have a public static ip/port that LE can access. You can’t do that from behind a NAT without port forwarding and you generally don’t want your local docker machines to be accessible to the internet.
Unless your cron script is doing some funky DNS altering, that is.
Oh, that’s cool, I hadn’t heard of lego before! But still, you shouldn’t need to buy a domain to do stuff locally on your own device and it adds quite a bit of complexity.
The only thing we care about is that there's just one authoritative name hierarchy, if somebody in the name hierarchy wants to give you a name without selling it, that would be totally fine.
I would totally be down with say, the US government issuing citizens with a DNS name under their ccTLD somewhere. Done your tax paperwork in reasonable time? Your name is guaranteed by law to keep working for another year. Maybe 1480219643.ny.citizen-names.us is ugly but it'd satisfy this problem for individuals. Maybe they could bolt on a checkbox, $50 extra to the IRS and you get to pick any as-yet unreserved legal name, or they have rules like for license plates.
Put the emphasis on the word "buy" instead, because they were describing a situation where you don't need to buy.
There are also free dynamic dns providers that let you set txt records and get certificates. But of course you can't depend on one of those to last forever.
1. have the domain in question resolve to a server with a public IP
2. have that server generate the certs with any ACME client with HTTP challenge
3. have that server ship the certs to the actual server hosting the service via intranet
4. in the intranet, have the domain resolve to the actual server via /etc/hosts override
All of that is not that hard to set up even at scale with proper config management tools. Having said that, I don't actually use it for that many services myself. The most significant one is LDAPS.
I have a wildcard certificate for *.local.example.com (and local.example.com), and a local DNS server which resolves all the subdomains of local.example.com.
All local servers share the same certificate and it gets refreshed automatically every 2 months. local.example.com has a public NS entry to a custom nameserver which only exists so that letsencrypt can perform the DNS validation for that domain (and its subdomains).
This way I can use server-1.local.example.com, server-2.local.example.com, workstation-1.local.example.com internally with TLS.
And we should be thankful that workflow is supported by LE. I just don’t think it’s a reasonable expectation that people will buy a domain and host a public nameserver so they can run QUIC on localhost.
You can point a CNAME somewhere, where you have e.g. https://github.com/joohoi/acme-dns
which is meant just for this.
There are even providers (listed later in the README linked), that you can use this with, without managing another software.
ACME supports multiple challenge types. The most popular is the HTTP-01 challenge, but there is also the DNS-01 challenge (via TXT record) which allows validation without exposing your webserver to the internet.
Sure, you can get anything to work, but it WILL be a huge PITA.