←back to thread

Should you use Let's Encrypt for internal hostnames?

(shkspr.mobi)
238 points edent | 5 comments | 05 Jan 22 12:42 UTC | HN request time: 0.333s | source
Show context
justin_oaks ◴[05 Jan 22 16:15 UTC] No.29810845[source]
We have an internal certificate authority for internal domains at my job. We add the root CA certificate to each desktop or server through an endpoint agent that runs on every machine. That agent is used for monitoring, provisioning users, and even running arbitrary commands.

The article mentions BYOD (bring your own device) but we don't allow personal devices to connect to internal services, so this isn't an issue for us.

You can use something like EasyRSA to set up an internal certificate authority and generate server certificates signed by that certificate authority. I started using plain old OpenSSL for generating certificates, which EasyRSA uses under the hood, but I would have liked to start by using EasyRSA in the first place.

By the way, EasyRSA still isn't that easy, but it's better than using OpenSSL directly.

replies(4): >>29811362 #>>29811485 #>>29811970 #>>29816907 #
1. throw0101a ◴[05 Jan 22 16:48 UTC] No.29811362[source]
> We have an internal certificate authority for internal domains at my job. We add the root CA certificate to each desktop or server through an endpoint agent that runs on every machine.

One challenge to this is some software doesn't use the operating system's CA chain by default. A lot of browsers use their own internal one and ignore what the OS does (by default).

replies(3): >>29811531 #>>29811549 #>>29813614 #
2. YPPH ◴[05 Jan 22 16:59 UTC] No.29811531[source]
Chrome, Edge, Safari and (god forbid) IE will use system certificate stores.

Firefox was a challenge. But my understanding is that now, on Windows, it will now import enterprise root certificates from the system store automatically.

https://bugzilla.mozilla.org/show_bug.cgi?id=1265113

https://support.mozilla.org/en-US/kb/how-disable-enterprise-...

replies(1): >>29811821 #
3. grogenaut ◴[05 Jan 22 17:00 UTC] No.29811549[source]
The big-co I work for handles this via some tooling that checks for browsers and sees if the cert is installed, or by having the ca page signed regularly and having people self install. "Your site look wierd, likely you are missing the CA". It's not solved solved but it's mostly solved. The browsers that come with the image on the enterprise release cadence all have the cert. The people adding other browsers are usually devs or technically savvy enough to add a CA.
4. RealStickman_ ◴[05 Jan 22 17:18 UTC] No.29811821[source]
On Linux Firefox imports system certificates automatically, but shows a warning that the certificate is not trusted by Mozilla.
5. paxys ◴[05 Jan 22 19:22 UTC] No.29813614[source]
It is also troublesome when you have to manage cert loading not just on end devices but ephemeral VMs and containers as well.