undefined | Better HN

0 pointsxg155y ago0 comments

This won't work either, btw: You'd have to request from Let's Encrypt a new certificate for each individual device. LE has several rate limits that will prevent that from working for anything more than a trivial number of devices: https://letsencrypt.org/docs/rate-limits/

The only way I see how this would work is if you not just purchase a domain but also an internet-facing server and do the renewal and certificate management centrally for all devices - at which point, your device is definitly not standalone anymore.

0 comments

AdamJacobMuller5y ago

This will work fine. LetsEncrypt will raise ratelimits for you. I've done it for a commercial CDN and they were very accommodating and helpful.

Plex does this, for example, though they use DigiCert's free certificates: https://www.plex.tv/blog/its-not-easy-being-green-secure-com...

sokoloff5y ago

The LE rate limits are (mostly?) for new cert issuance. I’ve never run into a rate limit on automated renewals and seem to recall it was either non-existent or comically far away from anything any individual would hit.

MikeHardman5y ago

You can do wildcard certs with LE, I run hundreds of k8s services all secured with LE and wildcard certs.

stefan_5y ago

We're talking about customer hardware. If someone looks at the insides of the device and finds, of course, the private key for your one shared wildcard certificate, the issuer is required to invalidate it immediately.

lvh5y ago

You can, but that wouldn't quite work for the prosumer router manufacturer case the OP mentioned: LE would revoke the cert once you distributed it.

AdamJacobMuller5y ago

You can, but, you can't (by policy) distribute keys across multiple customers.

tgsovlerkhgsel5y ago

I have a nasty habit of requesting revocation of such compromised keys whenever I find them. CAs are required to revoke within 24 hours, I think, though unfortunately revocation is surprisingly ineffective.

1 more reply

j / k navigate · click thread line to collapse

0 pointsxg155y ago0 comments

0 comments

AdamJacobMuller5y ago

This will work fine. LetsEncrypt will raise ratelimits for you. I've done it for a commercial CDN and they were very accommodating and helpful.

Plex does this, for example, though they use DigiCert's free certificates: https://www.plex.tv/blog/its-not-easy-being-green-secure-com...

sokoloff5y ago

MikeHardman5y ago

You can do wildcard certs with LE, I run hundreds of k8s services all secured with LE and wildcard certs.

stefan_5y ago

lvh5y ago

You can, but that wouldn't quite work for the prosumer router manufacturer case the OP mentioned: LE would revoke the cert once you distributed it.

AdamJacobMuller5y ago

You can, but, you can't (by policy) distribute keys across multiple customers.

tgsovlerkhgsel5y ago

1 more reply

j / k navigate · click thread line to collapse