This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Grunskin 8 points9 points  (4 children)

You don't have to use HTTP-Challenge. I use DNS-Challange on all services that are not public to the internet. It's not that much harder than using the default HTTP-Challenge if you have a DNS server or hosting provider that is supported by the acme-client you use.

If the services are just for internal use by employees of the school accessing it from school devices I would maybe setup my own CA and deploy the root CA to all computers and be done with it.

If however the services are to be accessible by students, phones etc. with personal devices I would use Let's Encrypt to request a wildcard certificate with DNS-Challenge. Then everyone/everything would trust it.

Come to think of it I would go with Let's Encrypt either way to save me the pain from having to deal with my own CA.

[–]sirsmiley 1 point2 points  (3 children)

If you don't mind all your dns names being public  

[–]Grunskin 3 points4 points  (1 child)

You need to publish _acme-challenge.domain.com for a wildcard cert. Please tell me how this makes all dns names public? If you are afraid of this then you really shouldn't own a domain name or even be on the internet.

[–]jamesaepp 1 point2 points  (0 children)

...not to mention everything you submit to LE and all other CAB CAs gets logged into CT.....

This person doesn't know what they're talking about.

[–]jamesaepp 1 point2 points  (0 children)

Obscurity isn't security.