[tgsovlerkhgsel]

> - Make the device use an ACME server to provision its certificate. The device must be publicly accessible so the ACME server can reach it.

This seems like the most reasonable approach given that the need for HTTPS certificates arises from public accessibility.

[stefan_]

Certificates arise from authentication. What does any part of it have to do with public accessibility? I can share GPG keys with my friend by printing them, but when it's a certificate I should really get it validated by Egypt Mubarak CA services, TurkTrust or RussiaRSA?

[tgsovlerkhgsel]

You should get it validated by Let's Encrypt so that the warning goes away.

The reality is that you either push the button (get the key certified), or bad things happen (users get warnings and - for the average user - simply can't use encryption). Pushing the button also doesn't have significant negative effects, and while you can lament alternative proposals at length, there is _some_ reason behind the status quo.

So you should push the button.