Top
Best
New

Posted by mrl5 5 hours ago

TLS certificates for internal services done right(tuxnet.dev)
95 points | 66 commentspage 3
Eduard 2 hours ago|
to help with passive reconnaissance, here are tuxnet.dev's SSL certificates and associated subdomains:

https://www.certkit.io/tools/ct-logs/?query=tuxnet.dev

Hamuko 4 hours ago||
I use a registered domain with DNS validation and then CNAMEs that I resolve locally. Basically:

  1. Register a domain ("server.com") and put it on some public DNS that can do DNS validation with acme.sh.
  2. Use DNS validation to get a certificate on your domain from Let's Encrypt. You can just grab a wildcard one ("*.server.com").
  3. CNAME all of your services on a public DNS to an internal address ("email.server.com" → "server.internal", "plex.server.com" → "server.internal").
  4. Resolve your internal address on a local DNS server with an A record ("server.internal" → 192.168.0.123). This can often just be done on your router.
Since you use DNS validation, you just API keys for your public DNS service that acme.sh can use. No need to have any VPN network interfaces for getting your certificate. Your wildcard certificate also doesn't leak any details about your services.
spydum 4 hours ago||
this is all fine and good, if you are okay broadcasting your internal hostnames. I suppose it's a trade off some might make.
CartwheelLinux 4 hours ago|
There's one way around that which is requesting a wildcard cert, but then that has its own rammifications
gh02t 2 hours ago||
There's really two ways, the other is to manage your own CA. But it seems like every browser/piece of software/etc out there is hell bent on making that as difficult as possible. It'd also be nice if it was easier to scope a certificate authority to a specific domain, but support for that is pretty patchy which is functionally the same as no support at all. And that's not to mention software that ignores the system certificate store. Or how tedious and nonstandardized it can be to get a trusted certificate store in a Docker container in cases where you have services that need to trust each other. Or how annoying it is to install your own trusted CA on devices (though, step-cli does help a lot at least on normal computers... phones however...). On and on and on, the barriers to what should be the obvious solution are extremely high.
AtNightWeCode 3 hours ago||
Don't do this. Public certs are for public services.
cpach 1 hour ago|
Why does it matter?
nijave 4 hours ago|
[dead]