How to use Let's Encrypt in local networks

A little solution for properly encrypted HTTP traffic in semi-public networks.

Let's Encrypt, as everyone knows, offers publicly-recognized SSL certificates. Pretty much the only downside is, that these are only issued with validity period of 90 days. Default ACME challenge scheme (http-01) requires some HTTP server to be publicly accessible on address pointed by domain, for which certificate is issued.

This makes it particularly hard, when you don't want these services to be public, and neither have you got any stable public facing address available.

My solution for that is using dns-01 instead. To keep it relatively safe, as devices in hackerspace-ish environment can get compromised quite easily, DNS manipulation HTTP endpoint is available with per-device tokens, which only allow for modification of that specific device _acme-challenge. TXT DNS record.