> Self-signed certificates used to be the solution in this situation. But browser makers have made it significantly harder, if not impossible to use self-signed certificates, by not allowing the user to visit sites that have self-signed certificates
That comes with other perils which is why the browser behaviour these days is like this. In browsers you can still trust the certificate by adding a manual exception if you want to persist with this route.
Better would be to create an in-house CA (easyca maybe) so that the CA cert can be added rather than lots of individual ones.
LetsEncrypt works when you are able to prove you are the owner of the object in the CN. They have a few auth plugins that try and verify this ownership in an automated way but none of them work (without some workarounds) for internal hosts e.g. you're using private IP blocks and potentially made-up DNS zones on your intranet you don't necessarily own them. e.g. you want a certificate for 192.168.1.1 with the domain foo.localdomain.
That comes with other perils which is why the browser behaviour these days is like this. In browsers you can still trust the certificate by adding a manual exception if you want to persist with this route.
Better would be to create an in-house CA (easyca maybe) so that the CA cert can be added rather than lots of individual ones.
LetsEncrypt works when you are able to prove you are the owner of the object in the CN. They have a few auth plugins that try and verify this ownership in an automated way but none of them work (without some workarounds) for internal hosts e.g. you're using private IP blocks and potentially made-up DNS zones on your intranet you don't necessarily own them. e.g. you want a certificate for 192.168.1.1 with the domain foo.localdomain.