Top
Best
New

Posted by mrl5 4 hours ago

TLS certificates for internal services done right(tuxnet.dev)
84 points | 59 commentspage 2
raquuk 3 hours ago|
I am looking forward to finally using DNS-PERSIST-01 for validation. No more dynamic DNS updates, DNS credentials or forwarding necessary.
jmbwell 2 hours ago||
I don’t know much in this space, but I find myself wishing there was a dead simple self hosted CA solution and also that trust on first use (à la ssh) was A Thing for self-managed root certs in client implementations. TOFU is such an elegant, good-enough solution for these use cases. Fixed deployment is always still an option, but in this day and age it feels so much like we are unnecessarily still dealing with solved problems
nijave 2 hours ago|
On k8s, there's cert-manager but also you need k8s...

Most browsers support trust on first use for leaf certs

notTooFarGone 1 hour ago|||
Firefox now started that you can't even go on the page on some occasions.

Using a browser in an air gapped environment is so much more pain than it should be.

jmbwell 2 hours ago|||
I guess I mean treat it as a clear first class feature. Right now most browsers treat it as an arcane error. I’m thinking more “This is the first time you’re connecting to this site. Do you trust it?”

And later if something changes, then they can do the whole DOING SOMETHING NASTY! thing, which is effectively the experience today

ramblurr 3 hours ago||
> TLS certificates for internal services* done right

* "internal services" = on a single server that is publicly routable

jabart 1 hour ago||
A Github Action running acme.sh that pushes certs to S3 solves the split dns issue for hosts, which can cause all sorts of weirdness after a while. You can then grab a cert on a schedule and even make them wildcard if you want. Then you will get NXDOMAIN if you are not on the VPN so ideally no public traffic.
llama052 1 hour ago|
DNS-01 validation is way less work than that in my experience.
gmuslera 1 hour ago||
"Right" without use case can be wrong. And by use case I include scale. For a small team, few machines, some in-place infrastructure may worth it. Smaller than that may be overkill, bigger than that may not be enough, or end being cumbersome, insecure or not work for everyone.
aliasxneo 2 hours ago||
I wonder if the author realizes that getting public certificates results in them being recorded in CT logs.
cobertos 3 hours ago||
Why not just map the domain to an internal IP and call it a day? Then the only way it can be accessed is through a VPN. Then use a wildcard so none of leaks into cert transparency logs
throw0101d 3 hours ago|
> Then use a wildcard so none of leaks into cert transparency logs

You now also have to build infrastructure to distribute the wildcard from (presumably) central place where you generate it to all the different places where it is desired.

And hope the wildcard's private key does not leak from one of myriad of places it now lives.

cobertos 2 hours ago|||
I have a few Traefik instances that request wildcards independently of each other. Each with the same config, per server.

Leaking is an issue but we're talking about internal services too.

AlexanderYamanu 1 hour ago|||
well, I configure my services te request their own wildcard certs from a caching proxy acme to letsencrypt. Easy peasy.
mrl5 4 hours ago||
I've documented how to securely set up TLS certificates for internal services without creating TLS issues for http clients downstream. All thanks to split-horizon DNS, WAF and ACME protocol. All for free!
rootnod3 3 hours ago|
Uhm....source?
cwillu 2 hours ago||
He's the submitter
Eduard 1 hour ago||
to help with passive reconnaissance, here are tuxnet.dev's SSL certificates and associated subdomains:

https://www.certkit.io/tools/ct-logs/?query=tuxnet.dev

Hamuko 3 hours ago|
I use a registered domain with DNS validation and then CNAMEs that I resolve locally. Basically:

  1. Register a domain ("server.com") and put it on some public DNS that can do DNS validation with acme.sh.
  2. Use DNS validation to get a certificate on your domain from Let's Encrypt. You can just grab a wildcard one ("*.server.com").
  3. CNAME all of your services on a public DNS to an internal address ("email.server.com" → "server.internal", "plex.server.com" → "server.internal").
  4. Resolve your internal address on a local DNS server with an A record ("server.internal" → 192.168.0.123). This can often just be done on your router.
Since you use DNS validation, you just API keys for your public DNS service that acme.sh can use. No need to have any VPN network interfaces for getting your certificate. Your wildcard certificate also doesn't leak any details about your services.
More comments...