Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)

238 points edent | 3 comments | 05 Jan 22 12:42 UTC | HN request time: 0s | source

Show context

meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]▶

>>29808233 (OP) #

I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.

replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #

mojzu ◴[05 Jan 22 15:29 UTC] No.29810148[source]▶

>>29809113 #

I've been using it too and it works well, particularly with Caddy to do automatic certificates with ACME where possible

Plus all my services go through Tailscale, so although I am leaking internal hostnames via DNS, all those records point to is 100.* addresses

replies(3): >>29810377 #>>29812881 #>>29821280 #

1. chrisweekly ◴[05 Jan 22 15:45 UTC] No.29810377[source]▶

>>29810148 #

I'm a fan of both Caddy and Tailscale; any chance you have any devnotes to share on your setup?

replies(1): >>29814497 #

2. mojzu ◴[05 Jan 22 20:29 UTC] No.29814497[source]▶

>>29810377 (TP) #

My notes were pretty rough but I've tried putting them into a gist here:

https://gist.github.com/mojzu/b093d79e73e7aa302dde8e335945b2...

Which covers using step-ca with Caddy to get TLS certs via ACME for subdomains, and protecting internal services using client certificates/mtls

I then install Tailscale on the host which is running the docker containers, and configure the firewall so that only other 100.* IP addresses can connect to ports 80/443/444. The combination of VPN+MTLS mitigates most of my worries about exposing internal subdomains on public DNS

replies(1): >>29818008 #

3. chrisweekly ◴[06 Jan 22 01:41 UTC] No.29818008[source]▶

>>29814497 #

Awesome, thanks!

↑