frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

TLS certificates for internal services done right

https://tuxnet.dev/posts/tls-for-internal-services/
16•mrl5•49m ago

Comments

mrl5•49m ago
I've documented how to securely set up TLS certificates for internal services without creating TLS issues for http clients downstream. All thanks to split-horizon DNS, WAF and ACME protocol. All for free!
pizzalife•27m ago
I don't agree that tunneling everything through some external facing proxy is "TLS certificates for internal services done right".
nijave•22m ago
Arguably it's 1/2. You can put public certs on proxy then give proxy private CA to backend services. Then you don't need public certs for all the private stuff nor need to trust the private CA on all your devices.
wrxd•13m ago
I use the acme dns-1 challenge on my public domain. That gives you certificates you can use as you see fit, without needing to expose anything else to the public internet.

I also use Tailscale so I configure my DNS to use my Tailscale IP addresses. If you don’t want to expose them on a public DNS server you can add them only to an internal DNS server.

adontz•10m ago
Moreover you can delegate domain to improve security.

https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

spydum•12m ago
this is all fine and good, if you are okay broadcasting your internal hostnames. I suppose it's a trade off some might make.
CartwheelLinux•8m ago
There's one way around that which is requesting a wildcard cert, but then that has its own rammifications
Hamuko•11m ago
I use a registered domain with DNS validation and then CNAMEs that I resolve locally. Basically:

  1. Register a domain ("server.com") and put it on some public DNS that can do DNS validation with acme.sh.
  2. Use DNS validation to get a certificate on your domain from Let's Encrypt. You can just grab a wildcard one ("*.server.com").
  3. CNAME all of your services on a public DNS to an internal address ("email.server.com" → "server.internal", "plex.server.com" → "server.internal").
  4. Resolve your internal address on a local DNS server with an A record ("server.internal" → 192.168.0.123). This can often just be done on your router.
Since you use DNS validation, you just API keys for your public DNS service that acme.sh can use. No need to have any VPN network interfaces for getting your certificate. Your wildcard certificate also doesn't leak any details about your services.
cobertos•7m ago
Why not just map the domain to an internal IP and call it a day? Then the only way it can be accessed is through a VPN. Then use a wildcard so none of leaks into cert transparency logs

Dairy cows make their misery expensive (but their calves can't)

https://acesounderglass.com/2026/05/01/dairy-cows-make-their-misery-expensive-but-their-calves-cant/
1•surprisetalk•1m ago•0 comments

Show HN: Reverse-engineering web apps into agent tools

1•pancomplex•1m ago•0 comments

I asked Fable 5 to make me a lyric video [video]

https://www.youtube.com/watch?v=gFx-NjTw3sM
1•blakenator•1m ago•0 comments

New York Times-led group asks court to sanction OpenAI in US copyright dispute

https://www.reuters.com/legal/litigation/new-york-times-led-group-asks-court-sanction-openai-us-c...
1•1vuio0pswjnm7•2m ago•0 comments

A2A Protocol

https://a2a-protocol.org/latest/
2•giamma•2m ago•0 comments

Questioneverything.ai – Explore any question through composable knowledge blocks

https://www.questioneverything.ai/
1•DBWORLD•3m ago•0 comments

Data Centers in Space Geek Out (2007) [audio]

https://www.dotnetrocks.com/details/2007
1•thunderbong•3m ago•0 comments

What if you gave everyone an intern?

https://blev.dev/articles/what-if-you-gave-everyone-an-intern/
2•blev•3m ago•0 comments

Show HN: Obsidian Aside

https://community.obsidian.md/plugins/aside
2•wl1973•4m ago•0 comments

Always On. Always Watching

https://blog.ppb1701.com/always-on-always-watching
1•pimeys•5m ago•0 comments

New Players Wanted in Iver

https://www.stpetersiverfc.com
1•chrisgen•7m ago•0 comments

Teaching AI to Run with the Turbines

https://www.technologyreview.com/2026/07/02/1138433/teaching-ai-to-run-with-the-turbines/
1•gmays•8m ago•0 comments

Google patent of an identification method for Tor Over VPN

https://patents.google.com/patent/CN116233013B/en
1•chbint•8m ago•0 comments

Show HN: Netstat for TLS Traffic

https://github.com/yuedongze/tlstat
1•yuedongze•9m ago•0 comments

Fable, Opus, Claude Code and Claude Web: How to Use Them All for the Best Result

https://theautomatedoperator.substack.com/p/fable-opus-claude-code-and-claude
2•idopmstuff•10m ago•0 comments

Show HN: Subagentmaxxing – Orchestrate GPT and Cursor Models with Claude Code

https://github.com/Kuberwastaken/subagentmaxxing
2•kuberwastaken•10m ago•0 comments

Show HN: Advanced Search for Bluesky (Chrome Extension)

https://www.bskysrch.com/chrome-extension
1•nklswbr•11m ago•0 comments

What Does "Processed Meat" Mean?

https://www.malone.news/p/what-does-processed-meat-actually
2•bilsbie•12m ago•0 comments

Show HN: Papercrane-CLI – a BI tool built for Claude Code

https://papercrane.ai/blog/today-im-launching-papercrane-cli-a-bi-tool-built-for-claude-code
5•timliu9•13m ago•0 comments

You paid me, a long-time Linux user, to use Windows 11 exclusively for a month

https://www.osnews.com/story/145459/you-paid-me-a-long-time-linux-user-to-use-windows-11-exclusiv...
4•speckx•14m ago•0 comments

Meta's 'Super Sensing' Prototype Glasses Quietly Record Everything

https://www.macrumors.com/2026/07/09/meta-super-sensing-glasses-record-everything/
4•Brajeshwar•15m ago•0 comments

Prose Isn't Policy: Stop Writing Claude.md Rules

https://zernie.com/blog/stop-writing-claude-md-rules/
2•zernie•16m ago•1 comments

Croatia's Infobip acquires SocketLabs to expand enterprise email infrastructure

https://seenews.com/news/croatias-infobip-acquires-socketlabs-to-expand-enterprise-email-infrastr...
2•taubek•17m ago•0 comments

Launch HN: Context.dev (YC S26) – API to get structured data from any website

https://www.context.dev
10•TheYahiaBakour•18m ago•0 comments

Hy3

https://hy.tencent.com/research/hy3
3•andai•19m ago•0 comments

How to Set Up DKIM: From Key Generation to a Passing DMARC Report

https://dmarcguard.io/blog/dkim-setup-guide/
2•meysamazad•19m ago•0 comments

A Summer Creativity Experiment

https://brainbaking.com/post/2026/07/a-summer-creativity-experiment/
2•meysamazad•19m ago•0 comments

How to Write an Email

https://blog.dannycastonguay.com/how-to-write-an-email/
3•speckx•19m ago•1 comments

Show HN: Strata – guess the city from its real 3D terrain and bathymetry

https://flightq.app/strata
3•skyq•20m ago•0 comments

Show HN: ADarkTerminal

https://adarkterminal.electricsheep.games
2•rrotaru•20m ago•0 comments