[echoangle]

I don’t know about the DNS challenge being discouraged, do you have something to read up on that? As far as I know it’s the only common way to get a wildcard cert.

And also the lifetime isn’t a problem in the setup I described, the internal server that uses the cert can do the dns challenge so it can get a new cert whenever it wants. It only needs to be able to access the DNS api.

[Suzuran]

I must correct myself; The DNS challenge is indeed being discouraged in the future, but it is because the DNS-01 challenge is being replaced by the DNS-PERSIST-01 challenge which addresses deficiencies in DNS-01.

The trust and security issues associated with maintaining intranet resources vs. outsourcing to a dedicated professional cloud service provider remain, but are not related to whether any SSL certificates used are issued through DNS-based verification or not.

[0x000xca0xfe]

DNS challenges are a massive PITA, too. I used them for wildcard certificates but gave up after a couple years because manually renewing them every three months was super annoying.

Unfortunately it is not easy to automate either especially if you use multiple domain providers. Not every hosting has an API and Namecheap wanted $50 for enabling it if I remember correctly.