(shkspr.mobi)

238 points edent | 2 comments | 05 Jan 22 12:42 UTC | HN request time: 0.612s | source

Show context

meepmorp ◴[05 Jan 22 14:11 UTC] No.29809113[source]▶

>>29808233 (OP) #

I've used https://smallstep.com/docs/step-ca/ as a CA internally, works well.

replies(4): >>29809289 #>>29809335 #>>29810148 #>>29811399 #

mojzu ◴[05 Jan 22 15:29 UTC] No.29810148[source]▶

>>29809113 #

I've been using it too and it works well, particularly with Caddy to do automatic certificates with ACME where possible

Plus all my services go through Tailscale, so although I am leaking internal hostnames via DNS, all those records point to is 100.* addresses

replies(3): >>29810377 #>>29812881 #>>29821280 #

1. dolmen ◴[06 Jan 22 09:28 UTC] No.29821280[source]▶

>>29810148 #

Tailscale+TLS: isn't it two strong layers of encryption?

replies(1): >>29822819 #

2. mojzu ◴[06 Jan 22 12:39 UTC] No.29822819[source]▶

>>29821280 (TP) #

Yeah, it's probably overkill but I think the multiple layers would help in cases I misconfigured something or if an account someone uses to log into Tailscale was compromised. For example when I ran the containers on a linux host I discovered later docker was bypassing the firewall rules and allowing all connections, but it probably wasn't a big deal because of the MTLS (and the server was behind a NAT router anyway so it was only addressable within the local network)

↑

Should you use Let's Encrypt for internal hostnames?