Hacker News new | past | comments | ask | show | jobs | submit login

You could do this before too, without wildcards.

You could, but the wildcard cert makes it much easier...

"One cert to rule them all, and in the darkness 'bind' them."

Can you outline the approach how this would work? It was my understanding that in order to use Let's Encrypt you needed a public facing server to verify ownership.

For the standard LE certs, you need a public facing web server for the domain name in question, and LE give you a keyfile to put into:


For the wildcard certs, you just need to add a TXT record to the public DNS entry, no public web server required.

Even if you have no intention of using your internal DNS domain name on the internet, it's good practice to register it anyway.

Is there a "standard" TLD for internal use that will also fit this requirement?

The problem here is that there's no such thing as domain ownership, only domain renting. You forget to pay your bill (read: someone loses an email) and a core part of your infrastructure is up in smoke, or worse, taken over by a squatter.

Of course not. If there was a domain reserved for internal use and everyone could get a cert for it, everyone would be able to impersonate your internal hosts.

I don't think there's a way around coming up with a reliable process for renewing your domain. You somehow manage to do it for lots of other things already.

Some years ago, at least one of the popular CAs used to issue certs for RFC1918 IP addresses. Fun times.

It makes no sense to have publicly trusted certificates for names that have no defined legitimate meaning - what is being certified? Nothing. Accordingly no public CA is permitted to issue such certs.

You can use a dns challenge for v1 "regular" certs - there's no requirement for a web server, in order to use let's encrypt.

See eg point 4: 0https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

You have multiple authorisation mechanism. The one you are referring too is http but you could also use DNS (you add a pre-agreed string as a TXT entry). Wildcard requires dns validation whereas domain specific certificates can use both.

Instead of fetching the secret via a direct HTTP call, the secret is fetched from the DNS server (eg. _acme-challenge.example.com.) - where the DNS server is usually separate from the server getting the cert. This can be done with ACMEv1 for certs, and now is required for the new wildcard certs.

Most clients that support DNS-01 can use nsupdate or APIs of public DNS providers to make this an automated process.

You just need public facing DNS.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact