(inclouds.space)

301 points todsacerdoti | 1 comments | 10 Apr 25 14:19 UTC | HN request time: 0s | source

Show context

smjburton ◴[10 Apr 25 16:51 UTC] No.43645788[source]▶

OP: If you're already using Caddy, why not just use a purchased domain (you can get some for a few dollars) with a DNS-01 challenge? This way you don't need to add self-signed certificates to your trust store and browsers/devices don't complain. You'll still keep your services private to your internal network, and Caddy will automatically keep all managed certificates renewed so there's no manual intervention once everything is set up.

replies(3): >>43645951 #>>43645968 #>>43646218 #

shadowpho ◴[10 Apr 25 17:05 UTC] No.43645951[source]▶

>>43645788 #

> You'll still keep your services private to your internal network,

Is that a new thing? I heard previously that if you wanted to do DNS/domain for local network you had to expose the list external.

replies(1): >>43646547 #

smjburton ◴[10 Apr 25 18:05 UTC] No.43646547[source]▶

>>43645951 #

It's not, just a different way of satisfying the certificate challenge. Look into a DNS-01 challenge vs a HTTP-01 challenge. Let's Encrypt has a good breakdown: https://letsencrypt.org/docs/challenge-types/.

replies(1): >>43667780 #

shadowpho ◴[12 Apr 25 20:40 UTC] No.43667780[source]▶

>>43646547 #

Gotcha and that lets us avoid to expose internals? that seems like a win win win, I should totally do this!

replies(1): >>43697845 #

1. smjburton ◴[15 Apr 25 20:14 UTC] No.43697845[source]▶

>>43667780 #

Yeah that's right. You can use something like https://github.com/joohoi/acme-dns or something similar to validate the DNS-01 challenge.

↑

.localhost Domains