Comment by xg15
1 day ago
IP addresses must be accessible from the internet, so still no way to support TLS for LAN devices without manual setup or angering security researchers.
1 day ago
IP addresses must be accessible from the internet, so still no way to support TLS for LAN devices without manual setup or angering security researchers.
If you have non-public IPs you need certs for you should set up a non-public certificate authority and issue your own certs for them.
I recently found this, might help someone here. Genius solution. https://sslip.io/
I recently migrated to a wildcard (*.home.example.com) certificate for all my home network. Works okay for many parts. However requires a public DNS server where TXT records can be set via API (lego supports a few DNS providers out of the box, see https://go-acme.github.io/lego/dns/ )
I use a fairly niche provider (https://go-acme.github.io/lego/dns/zonomi/index.html) and it's supported - I'd go further and say they support most providers
IPv6? You wouldn’t even need to expose the actual endpoints out on the open internet. DNAT on the edge and point inbound traffic on a VM responsible for cert renewals, then distribute to the LAN devices actually using those addresses.
One can also use a private CA for that scenario.
Exactly -- how many 192.168.0.1 certs do you think LetsEncrypt wants to issue?
The BRs specifically forbid issuing such a certificate since 2015. So, slightly before they were required to stop using SHA-1, slight after they were forbidden from issuing certificates for nonsense like .com or .ac.uk which obviously shouldn't be available to anybody even if they do insist they somehow "own" these names.
1 reply →
I mean if it's not routable how do you want to prove ownership in a way nobody else can? Just make a domain name.
Also I don't see the point of what TLS is supposed to solve here? If you and I (and everyone else) can legitimately get a certificate for 10.0.0.1, then what are you proving exactly over using a self-signed cert?
There would be no way of determining that I can connecting to my-organisation's 10.0.0.1 and not bad-org's 10.0.0.1.
Perhaps by providing some identifier in the URL?
ie. https://10.0.0.1(af81afa8394fd7aa)/index.htm
The identifier would be generated by the certificate authority upon your first request for a certificate, and every time you renew you get to keep the same one.
1 reply →
This is assuming NAT, with IPv6 you should be able to have globally unique IPs. (Not unique to IPv6 in theory, of course, but in practice almost no one these days is giving LAN devices public IPv4s).
A public CA won’t give you a cert for 10.0.0.1
1 reply →
For ipv6 proof of ownership can easily be done with an outbound connection instead. And would work great for provisioning certs for internal only services.
>so still no way to support TLS for LAN devices without manual setup or angering security researchers.
Arguably setting up letsencrypt is "manual setup". What you can do is run a split-horizon DNS setup inside your LAN on an internet-routable tld, and then run a CA for internal devices. That gives all your internal hosts their own hostname.sub.domain.tld name with HTTPS.
Frankly: it's not that much more work, and it's easier than remembering IP addresses anyway.
> run a CA
> easier than remembering IP addresses
idk, the 192.168.0 part has been around since forever. The rest is just a matter of .12 for my laptop, .13 for the one behind the telly, .14 for the pi, etc.
Every time I try to "run a CA", I start splitting hairs.
No, what I'm saying is
1. Running a CA is more work than just setting up certbot for IP addresses, but not that much more
And that enables you to
2. Remember only domain names, which is easier than ip addresses.
I guess if you're ipv4 only and small it's not much benefit but if you have a big or bridged network like wonderLAN or the promised LAN it's much better.
There’s also the DNS-01 challenge that works well for devices on private networks.
What do you mean by 'LAN', everything should be routable globally with IPv6 decade ago anyway /s