





















> But you can just use DNS-01 validation for non-wildcard certificates.
Sure, but then you need to arrange connectivity between the servers in question and the DNS authoritative server (as opposed to the DNS server it normally talks to). Which is certainly possible but Yet Another Things That Can break. You're only going to notice it's broken a month after it breaks. Unless you add monitoring on that too.
It's a cost/benefit thing: does the benefit of a having a proper certificate outweigh with the extra costs over just creating a 10-year self-signed cert and calling it a day.
I thinks it's just a matter of time. Nginx is getting ACME support built-in. You can apparently host your own ACME server internally. The issue of having all your internal systems appear in Certificate Transparency is annoying. Sysadmins need to get used to automatically generating internal certificates and monitoring that. If the costs go down far enough it will happen.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。