Hacker News new | past | comments | ask | show | jobs | submit login

I use DNS auth for internal certificates. I have multiple domains that only have entries on 10.0.0.0/8, mostly as *.identifier.domain.tld. With DNS auth they all have valid certificates from LetsEncrypt.



DNS Auth doesn't work with split-horizon DNS though, since the LE process will update the internal view instead of the external.

It sounds like you've put all your RRs in one flat zone visible internally ad externally but then that breaks device network portability, since mail.example.net on 10.x.x.x won't be reachable once outside the internal network

ACME and LE were really developed without an understanding of how certs work in the IT World. They were developed by folks who spin up a service on AWS and think that's how the world works.


SSL externally points to 123.45.67.8

Your internal DNS responds on 10.20.30.40

SSL very works fine as it validates Mail.mycorp.com, not the IP

This fails as DoH becomes more common and your dhcp server saying “use dns 10.1.1.1” is ignored, but then connections to your mail server fail too.


Do you actually have that or are you suggesting it a solution? Unless something changed you can't get certs for subdomains unless they they are the public suffix list and getting on that list is non-trivial.


Maybe I'm misunderstanding something, but I've been doing what I suggested for years.

I just verified, the domain that I use doesn't have a single A entry that isn't on 10.0.0.0/8.

I actually only have 6 A entries, that are the in the form of

    a.domain.tld  
    *.a.domain.tld  
    b.domain.tld  
    *.b.domain.tld  
    c.domain.tld  
    *.c.domain.tld
Then I use Caddy server as a reverse proxy on the internal network, which is configured to do DNS challenges to get certificates. Here's the plugin for AWS Route53 for example: https://github.com/caddy-dns/route53 - The challenge just verifies that I have control over the domain through DNS and provides a certificate to me no problem.

It's been working perfectly for few years for us on our internal networks. Was the OP asking for something different? I'm not entirely sure what the 'public suffix list' is for subdomains, but I definitely have a valid certificate right now for *.a.domain.tld, served internally and provided by LetsEncrypt.


https://letsencrypt.org/docs/rate-limits/

The public suffix list is (or was) used to tell if foo.domain.com is considered different user than bar.domain.com

If domain.com is on the list then foo.domain.com is different than bar.domain.com. If not then it's considered a single user and the rate limits apply.


Those rate limits are fine for almost all internal IT uses. The 50 certificates per week limit does not count renewals, that's 50 new hostnames added every week. Maybe larger shops need to roll out certificates a bit slower in order to not exceed that limit but it's still a pretty generous limit.


The public suffix list only affects limits with letsencrypt. The limit is still quite high IIRC, you just need to have proper backoff an smoothing between devices.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: