←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 6 comments | 05 Jan 22 12:42 UTC | HN request time: 1.095s | source | bottom
Show context
meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]
I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.
replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #
1. mojzu ◴[05 Jan 22 15:29 UTC] No.29810148[source]
I've been using it too and it works well, particularly with Caddy to do automatic certificates with ACME where possible

Plus all my services go through Tailscale, so although I am leaking internal hostnames via DNS, all those records point to is 100.* addresses

replies(3): >>29810377 #>>29812881 #>>29821280 #
2. chrisweekly ◴[05 Jan 22 15:45 UTC] No.29810377[source]
I'm a fan of both Caddy and Tailscale; any chance you have any devnotes to share on your setup?
replies(1): >>29814497 #
3. mojzu ◴[05 Jan 22 20:29 UTC] No.29814497[source]
My notes were pretty rough but I've tried putting them into a gist here:

https://gist.github.com/mojzu/b093d79e73e7aa302dde8e335945b2...

Which covers using step-ca with Caddy to get TLS certs via ACME for subdomains, and protecting internal services using client certificates/mtls

I then install Tailscale on the host which is running the docker containers, and configure the firewall so that only other 100.* IP addresses can connect to ports 80/443/444. The combination of VPN+MTLS mitigates most of my worries about exposing internal subdomains on public DNS

replies(1): >>29818008 #
4. chrisweekly ◴[06 Jan 22 01:41 UTC] No.29818008{3}[source]
Awesome, thanks!
5. dolmen ◴[06 Jan 22 09:28 UTC] No.29821280[source]
Tailscale+TLS: isn't it two strong layers of encryption?
replies(1): >>29822819 #
6. mojzu ◴[06 Jan 22 12:39 UTC] No.29822819[source]
Yeah, it's probably overkill but I think the multiple layers would help in cases I misconfigured something or if an account someone uses to log into Tailscale was compromised. For example when I ran the containers on a linux host I discovered later docker was bypassing the firewall rules and allowing all connections, but it probably wasn't a big deal because of the MTLS (and the server was behind a NAT router anyway so it was only addressable within the local network)