top | item 39153766

(no title)

mezzode | 2 years ago

As others have mentioned there already is the ".home.arpa" TLD but I definitely think ".internal" is a step up in terms of clarity. That said, for my internal network I just put things under a subdomain of a domain I own so I can use HTTPS with a proper SSL cert

discuss

eqvinox|2 years ago

> I just put things under a subdomain of a domain I own

Yup, same here. Great in combination with ACME DNS-01 so your DNS server can request all those certificates and then push them out to your devices. (Otherwise the hostnames need to be externally accessible, which means either exposing the internal devices, or mucking around with split-view DNS. The former is a terrible idea, the latter is also DNS server complexity and worse than doing DNS-01 IMHO.)

mdaniel|2 years ago

IMHO if you are already doing some process of "push certificates out to devices," you'll likely be much happier with getting a wildcard cert using DNS-01 and change that update process from "all devices all the time according to their schedule" over to "all devices but once every 80 days"

I do appreciate the threat model of one device getting owned leaks all your certs but security is always a trade-off between security and convenience. It also lowers the load upon the LE servers, for what that's worth

MaxBarraclough|2 years ago

That seems like a great way to go - get it signed the normal way and TLS will 'just work', no messing about configuring trust on your devices.

Will this be possible with .internal ?

8organicbits|2 years ago

The TLS cert will either be self-signed or you'll need to run a private CA. A public CA won't issue you a cert as you can't own any .internal domain.

ahoka|2 years ago

You can use a proper certificate with any domain you like.

eqvinox|2 years ago

except not with .home.arpa .internal .lan or whatever else, since you don't have "domain ownership"