←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 6 comments | 05 Jan 22 12:42 UTC | HN request time: 0.43s | source | bottom
1. cure ◴[05 Jan 22 14:36 UTC] No.29809437[source]
> OK, so you decide to have an internal DNS - now the whole world knows you have doorbell-model-xyz.myhome.example.com!

Uhm, or you use split horizon DNS? Who in their right mind would leak all their internal DNS names into a public DNS zone?

replies(5): >>29809492 #>>29809549 #>>29809557 #>>29809564 #>>29809694 #
2. ◴[05 Jan 22 14:40 UTC] No.29809492[source]
3. edent ◴[05 Jan 22 14:45 UTC] No.29809549[source]
Sorry for the poor wording on my part. I meant that if you issue a LE Cert for your doorbell, and give it a "sensible" name, the name will appear in the CT Log.
4. cyberge99 ◴[05 Jan 22 14:45 UTC] No.29809557[source]
Named certs have the hostnames they’re valid for in the Certificate itself.

“View Certificate” in a browser, or openssl sclient on cli will show you.

5. teekert ◴[05 Jan 22 14:46 UTC] No.29809564[source]
That's in the article, Let's encrypt leaks them for you, if you use them for your intranet.
6. icedchai ◴[05 Jan 22 14:55 UTC] No.29809694[source]
I don't bother with split horizon DNS for my home network.