Most active commenters

    ←back to thread

    Getting ready to issue IP address certificates

    (community.letsencrypt.org)
    314 points Bogdanp | 13 comments | 25 Jun 25 16:21 UTC | HN request time: 1.264s | source | bottom
    1. vkdelta ◴[25 Jun 25 19:03 UTC] No.44380805[source]
    Does it help getting encrypted https (without self signed cert error) on my local router ? 192.168.0.1 being an example login page.
    replies(6): >>44380853 #>>44380871 #>>44380923 #>>44381115 #>>44381757 #>>44382265 #
    2. ameliaquining ◴[25 Jun 25 19:09 UTC] No.44380853[source]
    No, they won't issue a certificate for a private IP address because you don't have exclusive control over it (i.e., the same IP address would point to a different machine on someone else's network).
    3. qmarchi ◴[25 Jun 25 19:10 UTC] No.44380871[source]
    No but maybe yes: It would be impossible, and undesirable to issue certificates for local addresses. There's no way to verify local addresses because, inherently, they're local and not globally routable.

    However, if a router manufacturer was so inclined, they _could_ have the device request a certificate for their public IPv4 address, given that it's not behind CG-NAT. v6 should be relatively easy since (unless you're at a cursed ISP) all v6 is generally globally routable.

    replies(1): >>44385321 #
    4. johnklos ◴[25 Jun 25 19:16 UTC] No.44380923[source]
    You have to possess the IP.
    5. jekwoooooe ◴[25 Jun 25 19:38 UTC] No.44381115[source]
    No and it shouldn’t. You can just run a proxy with a real domain and a real cert and then use dns rewrites to point that domain to a local host

    For example you can use nginx manager if you want a ui and adguard for dns. Set your router to use adguard as the exclusive dns. Add a rewrite rule for your domain to point to the proxy. Register the domain and get a real cert. problem solved

    All of my local services use https

    6. remram ◴[25 Jun 25 20:57 UTC] No.44381757[source]
    No, on the contrary. You can't get a valid certificate for non-global IP, but you can already get a certificate for a domain name and point it to 192.168.0.1.
    7. dark-star ◴[25 Jun 25 22:10 UTC] No.44382265[source]
    no but you can do something closely related:

    - get a domain name (foo.com) and get certificates for *.foo.com

    - run a DNS resolver that maps a.b.c.d.foo.com (or a-b-c-d.foo.com) to the corresponding private IP a.b.c.d

    - install the foo.com certificate on that private IP's device

    then you can connect to devices in your local network via IP by using https ://192-18-1-1.foo.com

    Since you need to install the certificate in step 3 above, this works better with long-lived certificates, of course, but aotomation helps there

    replies(2): >>44382457 #>>44383727 #
    8. michaelt ◴[25 Jun 25 22:43 UTC] No.44382457[source]
    I considered doing that for a project once.

    Then I realised that when my internet was down, 192-18-1-1.foo.com wouldn't resolve. And when my internet is down is exactly when I want to access my router's admin page.

    I decided simply using unencrypted HTTP is a much better choice.

    replies(1): >>44382624 #
    9. yjftsjthsd-h ◴[25 Jun 25 23:05 UTC] No.44382624{3}[source]
    > Then I realised that when my internet was down, 192-18-1-1.foo.com wouldn't resolve.

    Just add a local DNS entry on your local DNS server (likely your router).

    replies(2): >>44382837 #>>44385344 #
    10. michaelt ◴[25 Jun 25 23:41 UTC] No.44382837{4}[source]
    I could start running my own DNS server, and start manually curating all the important entries in it, sure.

    Or I could just use HTTP, or a self-signed certificate. If an attacker intercepts traffic on twenty feet of ethernet cable in my home's walls, I've probably got bigger problems than protecting my router admin password.

    11. briHass ◴[26 Jun 25 02:30 UTC] No.44383727[source]
    Cloudflare DNS (probably others as well) allows you to enter private IPs for subdomains, so you don't have to run your own DNS. There's no AXFR enabled, so no issues with privacy unless you have someone really determined to dictionary-attack your subdomains.
    12. jeroenhd ◴[26 Jun 25 08:20 UTC] No.44385321[source]
    Even behind CGNAT, you could probably get away with DNS here. If you provide your customers with customeraccount.manufacturerrouters.com, you can then use DNS validation to get a valid certificate for *.customeraccount.manufacturerrouters.com. Put a record in there that points to the local router IP (I.E. settings.customeraccount.manufacturerrouters.com) and you can get HTTPS logins on your local network, even with local IP addresses if the CAB still allows that.

    It's not exactly user friendly, but it'll work.

    Personally, I have a private CA that I use. My home router has a domain name pointing towards it and has been loaded up with my private certificate. I get the certificate error once a year when the thing expires but in the mean time I can access my router securely.

    13. jeroenhd ◴[26 Jun 25 08:23 UTC] No.44385344{4}[source]
    You don't even need to, mDNS has been enabled by default by most devices for ages now. You'll have to look up what the name is your manufacturer chose (if you use Windows, you van usually hit the network explorer tab and it'll be right in there, don't know about other OSes). It'll even work if IPv4 is broken (if you ran out of DHCP leases or whatever) because it almost always natively runs on IPv6 too.