←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 5 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source
Show context
imadethis ◴[05 Jan 22 14:27 UTC] No.29809315[source]
This seems like a perfect use case for wild card certs, especially if you have internal sites on a different (sub) domain from your prod servers. Yes, multiple servers have the same private key, but when the alternative is self-signed or no encryption, that is an easy trade off for me.
replies(3): >>29809569 #>>29811047 #>>29812720 #
justusthane ◴[05 Jan 22 14:46 UTC] No.29809569[source]
I don't know how LE does it, but at least with DigiCert (and I assume other commercial CAs), servers sharing the same wildcard cert don't have to share a private key. You generate a separate CSR from each server, and then request a duplicate copy of the wildcard cert using that CSR. That way they can have different SANs as well.
replies(2): >>29809759 #>>29811861 #
zrail ◴[05 Jan 22 15:00 UTC] No.29809759[source]
Wildcard certs are (only?) issued from DNS-01 challenges. As long as the requester can satisfy the DNS challenge ACME doesn't care about key uniqueness.
replies(2): >>29809856 #>>29810793 #
1. dsr_ ◴[05 Jan 22 15:07 UTC] No.29809856[source]
Right. If you control the DNS, you can point names at any IP address and get appropriate certs for them. Therefore, you must protect your DNS infrastructure.
replies(1): >>29810144 #
2. Hamuko ◴[05 Jan 22 15:29 UTC] No.29810144[source]
Isn't the need to protect your DNS infrastructure pretty obvious anyways even when ignoring certificate validation?
replies(2): >>29810863 #>>29818074 #
3. rocqua ◴[05 Jan 22 16:16 UTC] No.29810863[source]
Besides, if I can change your DNS, I can change your HTTP responses as well. So control over DNS already lets me get a lets-encrypt cert for you anyway. Though it is slightly easier to notice if someone changes your DNS to point to a different server than if someone adds a TXT record. I say slightly because if I change your DNS to point at my server I can just proxy requests to your old server so everything still looks like it works.

Heck, even with most other certificate issuers I can get a cert in similar ways when controlling DNS.

replies(1): >>29811117 #
4. egberts1 ◴[05 Jan 22 16:32 UTC] No.29811117{3}[source]
How often do one monitor their zone files and its updates?

Would you be able to catch new subdomains being created under your watch?

5. fomine3 ◴[06 Jan 22 01:48 UTC] No.29818074[source]
Obvious, but tend to be missed on small deployments.