undefined | Better HN

0 pointsgiobox3y ago0 comments

Lets encrypt is staggeringly easy for devices that are not "open" to the internet - it supports or has plugins to manage ACME DNS challenge records fully automatically even for private IPs in your home network, and this is just one way to do it. Using letsencrypt to get valid SSL certs easily, automatically and for free for private IPs behind a NAT is something I love using it for!

You never need to expose a webserver to the public internet to use letsencrypt to get a valid SSL certificate, even if IP is in the private RFC range (192.168.x.x, 10.x.x.x, etc etc).

Every single webapp I run internally has a two line automated Caddy/letsencrypt auto configuration, that just works.

To suggest it is way too difficult suggests you haven't tried recently, or are familiar with very old http-based DNS authentication challenges. You do not need to use http-based challenges to use letsencrypt for a long time, although still supported.

> https://caddyserver.com/docs/automatic-https

> https://caddy.community/t/how-to-use-dns-provider-modules-in...

No port forwarding required, ever.

This feature also exists in plain ole letsencypt, their "dns-01" challenge support:

https://letsencrypt.org/docs/challenge-types/#dns-01-challen...

The list of DNS providers who support this is massive now too:

https://community.letsencrypt.org/t/dns-providers-who-easily...

It is now so absurdly easy to do, all my personal projects just have valid SSL by default now, even on my internal LAN. All letsencrypt needs is proof of domain ownership- thanks to DNS TXT records, no one needs to host a website/port forward to accomplish that.

0 comments

2 comments · 2 top-level

GekkePrutser3y ago

But still those ACME records need to be updated every time on my outside DNS server right? Or is it just a static record? That I can do, a dynamic one is very hard with my DNS provider (meaning I still need to do everything manually every 3 months which is not an option).

I also don't really like leaking internal network info in my external DNS provider which is why I run my own internal DNSes. And I use a domain for my internal network which does not really exist in the real world, I don't know if letsencrypt can handle this.

I have indeed not tried it recently, the last time I tried it it was about 1 year since they launched. Trying to script all the firewall rules to open the ports for a second was a real PITA.

I'll have a look at this, thanks for the heads-up.

cricalix3y ago

The pain point here is something like .home.arpa, which is nominally the recommended domain to use for home networks (not .local to avoid conflicts with mDNS IIRC).

There's still no good solution if you're using a domain that's not valid on the net. LE's lookup has to be able to reach the DNS server for the domain. I think it's something the industry as a whole has failed at - ensuring even LAN devices have good security without doing things like "your home network must have a publicly resolveable domain" or "run your own CA".

j / k navigate · click thread line to collapse