news.volyx.in

TLS certificates for internal services done right (tuxnet.dev)

182 points by mrl5 · 2 days ago · 151 comments on HN

Article summary

The article discusses how to set up TLS certificates for internal services without creating TLS issues for HTTP clients. It presents two approaches: using a top-level domain restricted by ICANN for private use or using a public apex domain with split-horizon DNS configuration. The author recommends the latter approach, which involves using a Web Access Firewall (WAF) to reject traffic that does not originate from the VPN. This setup allows for the use of public CA certificates, such as those from Let's Encrypt, and eliminates the need for self-signed certificates.

Main themes

  • TLS certificates for internal services
  • Split-horizon DNS configuration
  • Web Access Firewall (WAF)
  • ACME protocol
  • DNS validation
  • Certificate management

What commenters say

  • Using DNS validation with ACME protocol is a more straightforward and secure approach than split-horizon DNS for obtaining TLS certificates for internal services.
  • Split-horizon DNS can create tedious make-work and is something to aspire to move away from in favor of more modern approaches.
  • Wildcard certificates can be a convenient solution, but they also introduce security risks and require careful management of private keys.
  • Some commenters argue that managing one's own CA is a viable alternative to using public CAs, but it can be difficult to scope a certificate authority to a specific domain.
  • Others suggest using a reverse proxy to handle TLS termination and constrain services to the server, bound to listen on 127.0.0.1 only, to minimize security risks.
  • There is interest in using DNS-persist-01, a new challenge type that allows for easier DNS validation, once it becomes widely supported.
  • Some commenters propose using DANE with TLSA as a potential solution to simplify certificate management, but it requires DNSSEC and has its own set of challenges.
  • The use of API keys with limited scope is seen as a desirable feature for DNS providers to improve security and flexibility in certificate management.