On Wed, 6 Dec 2017 13:54:36 +0000
> On 2017/12/06 14:13, Tim Kuijsten wrote: > > But I suspect the demand for acme-client on > > non-webservers will rise and it will feel more like a kludge to > > configure, start and stop a webserver in those environments. > > Using HTTP at all for these (even if it's only running temporarily) > feels like a kludge to me. > > I have some, and some https servers that aren't public access where > it's still useful to have a certificate (letsencrypt's HTTP checks can > come from various locations so they can't just be whitelisted). > I'm using DNS-01 (currently with Kristaps' version of acme-client) > for those. Perhaps that is a better way especially if you don't have any web servers and the server you want one for is more secure than your web server. I use a web server for my mail server (no big deal considering STARTTLS) to get the cert and then encrypt it with reop and make it downloadable so that all the mail server needs is /usr/bin/ftp and reop. You could use libressl or whatever you like to encrypt or even scp.
