Just want simple TLS for your .internal network?

(github.com)

246 points nh2 | 3 comments | 18 Oct 24 06:10 UTC | HN request time: 0.622s | source

Show context

ndsipa_pomu ◴[22 Oct 24 08:36 UTC] No.41912342[source]▶

I prefer to assign an external name to an internal device and grab a free SSL cert from LetsEncrypt, but using DNS challenge instead as internal IP addresses aren't reachable by their servers.

replies(9): >>41912368 #>>41912827 #>>41913126 #>>41913387 #>>41913720 #>>41913826 #>>41916306 #>>41917079 #>>41917804 #

1. Tepix ◴[22 Oct 24 11:58 UTC] No.41913387[source]▶

>>41912342 #

How do you automate it?

replies(2): >>41913525 #>>41914481 #

2. globular-toast ◴[22 Oct 24 12:20 UTC] No.41913525[source]▶

>>41913387 (TP) #

Not OP but I have a couple of implementations: one using caddyserver[0] as a reverse proxy in a docker-compose set up, and the other is a Kubernetes cluster using cert-manager[1].

[0] https://caddyserver.com/ [1] https://cert-manager.io/

3. ndsipa_pomu ◴[22 Oct 24 14:10 UTC] No.41914481[source]▶

>>41913387 (TP) #

I use Dynu.com as my DNS provider (they're cheap, provide APIs and very fast to update which is great for home IP addresses that may change). Then, to get the certificates, I use https://github.com/acmesh-official/acme.sh which is a shell script that supports multiple certificate and DNS providers. Copying the certificates to the relevant machines is done by a custom BASH script that runs the relevant acme.sh commands.

One advantage of DNS challenge is that it can be run anywhere (i.e. doesn't need to run on the webserver) - it just needs the relevant credentials to add a DNS TXT record. I've got my automation wrapped up into a Docker container.

↑