On 2017-04-25 05:27, Stuart Henderson wrote:
On 2017-04-25, Adam Thompson <athom...@athompso.net> wrote:
By definition, you will (probably) not be able to use the ACME
protocol - it only works (normally) when your system is connected
directly to the public internet with a static IP address.
Simply because you say "behind a corporate firewall", I already know
(or at least assume) that ACME will not work for you, ever.
ACME, and LetsEncrypt, only handles public websites. There are ways
around this, but they are painful and likely not worthwhile - it
*will* be cheaper to just buy a regular SSL certificate than to get a
LetsEncrypt certificate for an internal server.
Fake news :)
Ha! That made me laugh!
I was deliberately omitting all the details of the other challenge
protocols, because (see below). But yes, I deliberately sacrificed
correctness for utility in my response.
Firstly, with dns-01 challenge you can get a certificate for a server
which doesn't allow external access at all (the request and challenge
can be done with completely separate machines than the certificate
is for).
Secondly, some environments permit inbound connections but require
a proxy for outbound access from a DMZ. In a hosting environment,
restricting outbound access is often more important than inbound.
While it's possible that this was the case, the fact the OP was even
asking the question in the first place strongly suggests that this is
not his situation.
I stand by my statement that just buying a cheap SSL cert will, for
anything other than the simple case of an online, directly-connected,
webserver, be cheaper than the labour required to obtain a LetsEncrypt
certificate.
From what I've read so far, you'd have to be *really* committed to
LetsEncrypt to go to the bother of using any of the alternate challenge
protocols. In all the situations where one person could complete the
process themselves, that person is highly likely to simply be directly
connected anyway - so why bother?
Once the entire CA industry moves towards ACME (if that happens) then I
can see a number of situations where those alternate challenge protocols
will be useful and/or required, but for a LetsEncrypt certificate? It
just doesn't seem worthwhile. Especially when the cost of a
single-hostname SSL cert (which meets the needs of many users) is now
somewhere below US$5/year!
And neither of us addressed the fact that for a server that's "behind a
corporate firewall", there's a good chance that it's not even using a
legit gTLD/ccTLD, which means getting an external domain-validated SSL
cert for it will be (or should be!) impossible in the first place.
-Adam
