(shkspr.mobi)

238 points edent | 2 comments | 05 Jan 22 12:42 UTC | HN request time: 0.635s | source

Show context

binwiederhier ◴[05 Jan 22 16:18 UTC] No.29810879[source]▶

My company uses Let's Encrypt extensively for many thousands of customers edge devices which live in their own LAN. As long as the hostnames are random or at least not too telling there's pretty much nothing that you're leaking. Except for the internal IP address (10.x, 192.x,) and how many servers you have. If you can live with that then it's perfectly fine.

I wrote about it a few years ago: https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certi...

replies(1): >>29811072 #

1. reincarnate0x14 ◴[05 Jan 22 16:30 UTC] No.29811072[source]▶

>>29810879 #

If you have split DNS you're not even leaking internal addresses, the public name record just has to exist.

replies(1): >>29816444 #

2. throw0101a ◴[05 Jan 22 23:04 UTC] No.29816444[source]▶

>>29811072 (TP) #

> […] the public name record just has to exist.

Specifically a TXT record for _acme-challenge has to exist for the requested hostname. Or a CNAME of the requested hostname pointing somewhere else that you control:

* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

No A (or AAAA) records needed.

↑

Should you use Let's Encrypt for internal hostnames?