On 2017-04-25, Adam Thompson <athom...@athompso.net> wrote: > By definition, you will (probably) not be able to use the ACME > protocol - it only works (normally) when your system is connected > directly to the public internet with a static IP address. > > Simply because you say "behind a corporate firewall", I already know > (or at least assume) that ACME will not work for you, ever. > > ACME, and LetsEncrypt, only handles public websites. There are ways > around this, but they are painful and likely not worthwhile - it > *will* be cheaper to just buy a regular SSL certificate than to get a > LetsEncrypt certificate for an internal server.
Fake news :) Firstly, with dns-01 challenge you can get a certificate for a server which doesn't allow external access at all (the request and challenge can be done with completely separate machines than the certificate is for). Secondly, some environments permit inbound connections but require a proxy for outbound access from a DMZ. In a hosting environment, restricting outbound access is often more important than inbound.