←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 1 comments | 05 Jan 22 12:42 UTC | HN request time: 0.549s | source
Show context
Mister_Snuggles ◴[05 Jan 22 14:34 UTC] No.29809420[source]
> The only real answer to this is to use Wildcard Certificates. You can get a TLS certificate for *.internal.example.com

Does Let's Encrypt support Subject Alt Names on the wildcard certs?

My experience suggests that wildcard certs work, but require a SAN entry for each "real" host because browsers don't trust the CN field anymore. e.g., my *.apps.blah cert doesn't work unless I include all of the things I use it on - homeassistant.apps.blah, nodered.apps.blah, etc.

Do Let's Encrypt certificates have something special that negates this requirement? Or am I completely wrong about the SAN requirement?

replies(5): >>29809439 #>>29809509 #>>29809732 #>>29810230 #>>29814871 #
1. formerly_proven ◴[05 Jan 22 14:58 UTC] No.29809732[source]
The whole point of a wildcard certificate is that you don't have to exhaustively list all covered hostnames.