←back to thread

.localhost Domains

(inclouds.space)
301 points todsacerdoti | 9 comments | 10 Apr 25 14:19 UTC | HN request time: 0.521s | source | bottom
1. smjburton ◴[10 Apr 25 16:51 UTC] No.43645788[source]
OP: If you're already using Caddy, why not just use a purchased domain (you can get some for a few dollars) with a DNS-01 challenge? This way you don't need to add self-signed certificates to your trust store and browsers/devices don't complain. You'll still keep your services private to your internal network, and Caddy will automatically keep all managed certificates renewed so there's no manual intervention once everything is set up.
replies(3): >>43645951 #>>43645968 #>>43646218 #
2. shadowpho ◴[10 Apr 25 17:05 UTC] No.43645951[source]
> You'll still keep your services private to your internal network,

Is that a new thing? I heard previously that if you wanted to do DNS/domain for local network you had to expose the list external.

replies(1): >>43646547 #
3. qwertox ◴[10 Apr 25 17:07 UTC] No.43645968[source]
I was on a similar thought process, but this leaves you only with the option to set the A record of the public DNS entry to 127.0.0.1, if you want to use it on the go.

Though you could register a name like ch.ch and get a wildcard certificate for *.ch.ch, and insert local.ch.ch in the hosts file and use the certificate in the proxy, that would even work on the go.

4. whatevaa ◴[10 Apr 25 17:34 UTC] No.43646218[source]
So basically pay protection money? We have engineered such a system that the only way to use your own stuff is to pay a tax for it and rely on centralized system, even though you don't need to be public at all?
replies(1): >>43646634 #
5. smjburton ◴[10 Apr 25 18:05 UTC] No.43646547[source]
It's not, just a different way of satisfying the certificate challenge. Look into a DNS-01 challenge vs a HTTP-01 challenge. Let's Encrypt has a good breakdown: https://letsencrypt.org/docs/challenge-types/.
replies(1): >>43667780 #
6. smjburton ◴[10 Apr 25 18:15 UTC] No.43646634[source]
If you really want to keep things local without paying any fees, you could also use Smallstep (https://smallstep.com/) to issue certificates for your services. This way you only need to add one CA to your trust store on your devices, and the certificates still renew periodically and satisfy the requirements for TLS.

I suggested using a domain given they already have Caddy set up and it's inexpensive to acquire a cheap domain. It's also less of a headache in my experience.

replies(1): >>43648534 #
7. egoisticalgoat ◴[10 Apr 25 22:12 UTC] No.43648534{3}[source]
If you're already adding a CA to your trust store, you can just use caddy! [0] Add their local CA to your store (CA cert is valid for 10 years), and it'll generate a new cert per local domain every day.

Actually, now that I've linked the docs, it seems they use smallstep internally as well haha

[0] https://caddyserver.com/docs/automatic-https#local-https

8. shadowpho ◴[12 Apr 25 20:40 UTC] No.43667780{3}[source]
Gotcha and that lets us avoid to expose internals? that seems like a win win win, I should totally do this!
replies(1): >>43697845 #
9. smjburton ◴[15 Apr 25 20:14 UTC] No.43697845{4}[source]
Yeah that's right. You can use something like https://github.com/joohoi/acme-dns or something similar to validate the DNS-01 challenge.