I'm not clear here if "Internet access" means incoming access, outgoing access, or neither.
To be clear, the solution above requires no incoming access. Its 100% client, there's no server access. (Client to the DNS Api, client to ACME.
If the device does not have client access to anything then the certificate can be obtained from another device. You would then need some mechanism to put the certificate on the device.
I agree that IoT devices are problematic, they either need client access to the Internet (which most don't get) or they need to run a "server" of some kind to receive the certificate updates. If you're lucky this could be automated.
I have found it relatively easy to just run a local CA for my isolated network. I didn't find it too difficult to setup. I run around 600 servers and about 20x that in IOT devices.
And how did you provision any of this? Did you take each device, connect to it while on that same network in a completely unauthenticated manner, and provision certificates? Can you send links to webpages on these devices to ordinary browsers that aren’t provisioned with the certificates? Would someone who doesn’t fully trust you and your infrastructure be willing to install your certificate?
To be clear, the solution above requires no incoming access. Its 100% client, there's no server access. (Client to the DNS Api, client to ACME.
If the device does not have client access to anything then the certificate can be obtained from another device. You would then need some mechanism to put the certificate on the device.
I agree that IoT devices are problematic, they either need client access to the Internet (which most don't get) or they need to run a "server" of some kind to receive the certificate updates. If you're lucky this could be automated.