(inclouds.space)

301 points todsacerdoti | 3 comments | 10 Apr 25 14:19 UTC | HN request time: 0.622s | source

Show context

smjburton ◴[10 Apr 25 16:51 UTC] No.43645788[source]▶

OP: If you're already using Caddy, why not just use a purchased domain (you can get some for a few dollars) with a DNS-01 challenge? This way you don't need to add self-signed certificates to your trust store and browsers/devices don't complain. You'll still keep your services private to your internal network, and Caddy will automatically keep all managed certificates renewed so there's no manual intervention once everything is set up.

replies(3): >>43645951 #>>43645968 #>>43646218 #

1. whatevaa ◴[10 Apr 25 17:34 UTC] No.43646218[source]▶

>>43645788 #

So basically pay protection money? We have engineered such a system that the only way to use your own stuff is to pay a tax for it and rely on centralized system, even though you don't need to be public at all?

replies(1): >>43646634 #

2. smjburton ◴[10 Apr 25 18:15 UTC] No.43646634[source]▶

>>43646218 (TP) #

If you really want to keep things local without paying any fees, you could also use Smallstep (https://smallstep.com/) to issue certificates for your services. This way you only need to add one CA to your trust store on your devices, and the certificates still renew periodically and satisfy the requirements for TLS.

I suggested using a domain given they already have Caddy set up and it's inexpensive to acquire a cheap domain. It's also less of a headache in my experience.

replies(1): >>43648534 #

3. egoisticalgoat ◴[10 Apr 25 22:12 UTC] No.43648534[source]▶

>>43646634 #

If you're already adding a CA to your trust store, you can just use caddy! [0] Add their local CA to your store (CA cert is valid for 10 years), and it'll generate a new cert per local domain every day.

Actually, now that I've linked the docs, it seems they use smallstep internally as well haha

[0] https://caddyserver.com/docs/automatic-https#local-https

↑

.localhost Domains