(github.com)

246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0.202s | source

Show context

ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]▶

I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.

replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #

DandyDev ◴[22 Oct 24 08:42 UTC] No.41912368[source]▶

>>41912342 #

I do this as well, but be aware that these external names you're using for internal devices become a matter of public record this way. If that's okay for you (it is for me), then this is a good solution. The advantage is also that you run no risk of name clashes because you actually own the domain

replies(7): >>41912424 #>>41912505 #>>41912544 #>>41912570 #>>41912671 #>>41912732 #>>41919325 #

xfer ◴[22 Oct 24 08:53 UTC] No.41912424[source]▶

>>41912368 #

Or use a wildcard cert for all internal certs.

replies(3): >>41912563 #>>41912669 #>>41912935 #

project2501a ◴[22 Oct 24 09:38 UTC] No.41912669[source]▶

>>41912424 #

Please don't. Technical debt accumulates by force of practice.

replies(1): >>41912757 #

1. qwertox ◴[22 Oct 24 09:55 UTC] No.41912757[source]▶

>>41912669 #

It's working good for me. My technical debt is to always make sure that I'm able to renew a certificate and that the distribution occurs successfully.

I don't see how other solutions are less problematic.

↑

Just want simple TLS for your .internal network?