You can use Let’s Encrypt to request certificates for websites free of charge. The disadvantage of such a certificate is that it is only valid for 90 days. So you have to renew them regularly. An organization that wanted to use many Let’s Encrypt certificates for internal websites contacted me with two challenges.
Point one: The fact that Let’s Encrypt requires that a certificate be renewed regularly is excellent security, because during each renewal it is checked whether the applicant for the certificate is also the owner of the website. But if you manage to automate the manual action for renewing and renewing yourself, then a major efficiency gain can be achieved.
Point two: Because these are internal websites that deliberately cannot be accessed from the internet, Let’s Encrypt cannot access the websites to carry out the necessary checks.
The solution I came up with took some puzzling, but ultimately works very well. The DNS for internal domain names can be accessed publicly via the internet. That can’t hurt. Point two could therefore be solved by performing the security check via DNS. The party hosting the DNS offered the option to automatically adjust the DNS through an API.
I solved point one by writing a Linux script that automatically checks every night whether certificates are approaching their expiration date, and if so, automatically renews them.