Comment by cyberax

> CT logs do allow enumeration, but avoiding that is just security through obscurity.

Well, yes. There are also other issues, like rate limits. Some companies have hundreds of thousands of hosts (some virtual) and requesting certificates for all of them might be problematic.

> If you want to avoid enumeration of internal-only hosts: just use your own self-signed root cert.

This becomes increasingly problematic, as browsers start relying on DoH/DoT, or making it more difficult to enroll custom root certs.

> Nobody's stopping you from writing an ACME proxy which only forwards requests from known-good hosts to LE & friends.

I actually tried that. LE uses multiple viewpoints to resolve the challenges, so you need to open your internal DNS resolvers/HTTPS to basically all the world. Or play with the horror of split-horizon DNS.