Most active commenters
  • mojzu(3)

←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 22 comments | 05 Jan 22 12:42 UTC | HN request time: 0.889s | source | bottom
1. meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]
I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.
replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #
2. mrweasel ◴[05 Jan 22 14:25 UTC] No.29809289[source]
What I'd want is an internal CA, like step-ca, but have the certificates signed by a "real" CA, so I don't have to distribute my own root CA certificate.
replies(7): >>29809419 #>>29809851 #>>29809903 #>>29810475 #>>29810488 #>>29811401 #>>29812390 #
3. gclawes ◴[05 Jan 22 14:27 UTC] No.29809335[source]
I've been setting this up for my homelab under .home.arpa, seems to work pretty well so far.
4. filleokus ◴[05 Jan 22 14:34 UTC] No.29809419[source]
The dream would truly be an internal CA backed by a publicly trusted subordinate cert (limited to the domain you control). But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.
replies(2): >>29809476 #>>29811436 #
5. ◴[05 Jan 22 14:38 UTC] No.29809476{3}[source]
6. corobo ◴[05 Jan 22 15:07 UTC] No.29809851[source]
Wouldn't that allow you to issue certificates for Google.com? Correct me if I've misunderstood but for the sake of discussion pretend cert pinning doesn't exist, use another example domain if it's easier
replies(1): >>29809984 #
7. dsr_ ◴[05 Jan 22 15:12 UTC] No.29809903[source]
That would be a violation of the real CA's duty to only sign certs that they have some basis for believing are correct. (This basis almost always boils down to "controls the DNS".)
8. mrweasel ◴[05 Jan 22 15:19 UTC] No.29809984{3}[source]
I'm not a 100% sure how certificates work. What I imagined would be possible is having a certificate for mydomain.com, which can be used to sign certificates for subdomains.
replies(1): >>29816034 #
9. mojzu ◴[05 Jan 22 15:29 UTC] No.29810148[source]
I've been using it too and it works well, particularly with Caddy to do automatic certificates with ACME where possible

Plus all my services go through Tailscale, so although I am leaking internal hostnames via DNS, all those records point to is 100.* addresses

replies(3): >>29810377 #>>29812881 #>>29821280 #
10. chrisweekly ◴[05 Jan 22 15:45 UTC] No.29810377[source]
I'm a fan of both Caddy and Tailscale; any chance you have any devnotes to share on your setup?
replies(1): >>29814497 #
11. meepmorp ◴[05 Jan 22 15:52 UTC] No.29810475[source]
Yeah, that is the major drawback.
12. dnautics ◴[05 Jan 22 15:53 UTC] No.29810488[source]
Out of curiosity, What's the problem with distributing your own root CAs? Is it security? Or is it "just a PITA"?
replies(1): >>29810502 #
13. Hamuko ◴[05 Jan 22 15:55 UTC] No.29810502{3}[source]
Mostly the second.
14. metafunctor ◴[05 Jan 22 16:51 UTC] No.29811399[source]
This is the correct answer ;)

If you're going to run a serious internal network, you'll need the basic things like NTP, DNS, a CA server, and, yes, some kind of MDM to distribute internal CA certificates to your people. The real PITA is when you don't have these in place.

15. runjake ◴[05 Jan 22 16:51 UTC] No.29811401[source]
This would be called an "Intermediate CA" to those for whom this is unclear.
16. throw0101a ◴[05 Jan 22 16:54 UTC] No.29811436{3}[source]
> But afaik that can’t happen until the Name Constraint Extension is enforced by “all” clients.

For those curious about this extension, see RFC 5280 § 4.2.1.10:

* https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10

17. nym375 ◴[05 Jan 22 17:52 UTC] No.29812390[source]
You really don't actually want this. This intermediate CA would still be subject to the same extensive CAB Forum / vendor root program requirements (audited yearly via WebTrust) as a root CA. There are a ton of requirements, including mandatory response times, that inevitably makes this require a fully staffed team to operate.
18. mojzu ◴[05 Jan 22 20:29 UTC] No.29814497{3}[source]
My notes were pretty rough but I've tried putting them into a gist here:

https://gist.github.com/mojzu/b093d79e73e7aa302dde8e335945b2...

Which covers using step-ca with Caddy to get TLS certs via ACME for subdomains, and protecting internal services using client certificates/mtls

I then install Tailscale on the host which is running the docker containers, and configure the firewall so that only other 100.* IP addresses can connect to ports 80/443/444. The combination of VPN+MTLS mitigates most of my worries about exposing internal subdomains on public DNS

replies(1): >>29818008 #
19. mmalone ◴[05 Jan 22 22:31 UTC] No.29816034{4}[source]
You can put "name constraints" on an intermediate that, in theory, can restrict the intermediate to only signing certs for a particular subdomain. In theory, name-constrained intermediate certificate for `.example.com` would have no more authority than a wildcard certificate for `.example.com`.

But, name constraints are enforced by "relying parties" -- HTTPS/TLS clients & servers that are validating certificates and authenticating remote peers. In practice, there's a risk that a broken/misconfigured relying party would trust a cert for google.com signed by an intermediate that's name constrained / only trusted to issue for `*.example.com`.

20. chrisweekly ◴[06 Jan 22 01:41 UTC] No.29818008{4}[source]
Awesome, thanks!
21. dolmen ◴[06 Jan 22 09:28 UTC] No.29821280[source]
Tailscale+TLS: isn't it two strong layers of encryption?
replies(1): >>29822819 #
22. mojzu ◴[06 Jan 22 12:39 UTC] No.29822819{3}[source]
Yeah, it's probably overkill but I think the multiple layers would help in cases I misconfigured something or if an account someone uses to log into Tailscale was compromised. For example when I ran the containers on a linux host I discovered later docker was bypassing the firewall rules and allowing all connections, but it probably wasn't a big deal because of the MTLS (and the server was behind a NAT router anyway so it was only addressable within the local network)