frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

TLS certificates for internal services done right

https://tuxnet.dev/posts/tls-for-internal-services/
32•mrl5•1h ago

Comments

mrl5•1h ago
I've documented how to securely set up TLS certificates for internal services without creating TLS issues for http clients downstream. All thanks to split-horizon DNS, WAF and ACME protocol. All for free!
rootnod3•14m ago
Uhm....source?
pizzalife•55m ago
I don't agree that tunneling everything through some external facing proxy is "TLS certificates for internal services done right".
nijave•51m ago
Arguably it's 1/2. You can put public certs on proxy then give proxy private CA to backend services. Then you don't need public certs for all the private stuff nor need to trust the private CA on all your devices.
wrxd•41m ago
I use the acme dns-1 challenge on my public domain. That gives you certificates you can use as you see fit, without needing to expose anything else to the public internet.

I also use Tailscale so I configure my DNS to use my Tailscale IP addresses. If you don’t want to expose them on a public DNS server you can add them only to an internal DNS server.

adontz•39m ago
Moreover you can delegate domain to improve security.

https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...

throw0101d•31m ago
> I use the acme dns-1 challenge on my public domain.

See also perhaps DNS aliasing in case you are not able to dynamically update your 'primary' domain, but can update a secondary or sub-domain:

* https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mo...

So if "example.com" is control by Corporate IT, and they don't want 'random' folks fiddling with it, then you can create a "dnsauth.example.com" and point the dns-1 challenge record from "…foo.example.com" to "foo.dnsauth.example.com" (or a completely different domain, like "…example.net").

There are DNS servers written strictly focused on this use case:

* https://github.com/acme-dns/acme-dns

Also code that handles a bunch of DNS provider APIs so you don't have to roll your own for ACME client hooks:

* https://github.com/dns-lexicon/dns-lexicon

spydum•40m ago
this is all fine and good, if you are okay broadcasting your internal hostnames. I suppose it's a trade off some might make.
CartwheelLinux•36m ago
There's one way around that which is requesting a wildcard cert, but then that has its own rammifications
Hamuko•39m ago
I use a registered domain with DNS validation and then CNAMEs that I resolve locally. Basically:

  1. Register a domain ("server.com") and put it on some public DNS that can do DNS validation with acme.sh.
  2. Use DNS validation to get a certificate on your domain from Let's Encrypt. You can just grab a wildcard one ("*.server.com").
  3. CNAME all of your services on a public DNS to an internal address ("email.server.com" → "server.internal", "plex.server.com" → "server.internal").
  4. Resolve your internal address on a local DNS server with an A record ("server.internal" → 192.168.0.123). This can often just be done on your router.
Since you use DNS validation, you just API keys for your public DNS service that acme.sh can use. No need to have any VPN network interfaces for getting your certificate. Your wildcard certificate also doesn't leak any details about your services.
cobertos•36m ago
Why not just map the domain to an internal IP and call it a day? Then the only way it can be accessed is through a VPN. Then use a wildcard so none of leaks into cert transparency logs
throw0101d•26m ago
> Then use a wildcard so none of leaks into cert transparency logs

You now also have to build infrastructure to distribute the wildcard from (presumably) central place where you generate it to all the different places where it is desired.

And hope the wildcard's private key does not leak from one of myriad of places it now lives.

patrakov•31m ago
My preferred procedure is to use DNS-01 validation and have no publicly accessible "A" or "AAAA" record for internal services.

Or even a more extreme example: https://crt.sh/?id=27555237869 (sorry for any possible crt.sh downtime) - the domain name in question never existed in public or private DNS by itself. It is used only for a WPA3-Enterprise network, as the CN that WiFi clients expect to be present in the RADIUS server certificate, but never resolve. In the public DNS, only the "_acme-challenge" TXT record exists.

EvanAnderson•27m ago
The relative proximity of the words "done right" and "split-horizon DNS" makes my insides hurt a little bit.

Use DNS validation to allow these internal services to pull ACME certs. There's so much less headache, long-term.

Split-horizon DNS (and the tedious make-work it can create when you start needing to mirror public-accessibly records in the private DNS) has always been something to aspire to move away from in my experience.

thomashabets2•21m ago
Personally, I hate split horizon DNS. I prefer the "BeyondCorp" model. I MUCH prefer putting an mTLS cert in my trusted devices over relying on VPNs in same devices. I've yet to see a "clever" DNS setup not cause annoyances.

Specifically grafana is nice to be able to see on the phone, and split horizon DNS and corp VPN is a hassle, to say the least, on phones.

I bet you can do it with HA-Proxy, but I use https://github.com/ThomasHabets/sni-router

raquuk•21m ago
I am looking forward to finally using DNS-PERSIST-01 for validation. No more dynamic DNS updates, DNS credentials or forwarding necessary.
boscillator•12m ago
The real answer here is that configuring HTTPS clients to trust a self-signed cert (or signed by an internal CA) shouldn't be as difficult as it is. I find it extremely annoying that every programming language has it's own idea of where certificates should live instead of just checking the os trust store.
xorcist•10m ago
This is crazy. If you have a home network with a few internal services, or some sort of network where you don't control the endpoints, just use DNS validation. That's why it exists.

But on hosts you control, you should absolutely provision them with an identity and join the local CA. You're going to need it for a multitude of other reasons.

ramblurr•7m ago
> TLS certificates for internal services* done right

* "internal services" = on a single server that is publicly routable

Show HN: 18 Words

https://18words.com/
430•pompomsheep•3h ago•180 comments

No leap second will be introduced at the end of December 2026

https://datacenter.iers.org/data/latestVersion/bulletinC.txt
108•ChrisArchitect•1h ago•79 comments

EU Parliament greenlights Chat Control 1.0

https://www.patrick-breyer.de/en/eu-parliament-greenlights-chat-control-1-0-breyer-our-children-l...
410•rapnie•5h ago•233 comments

TLS certificates for internal services done right

https://tuxnet.dev/posts/tls-for-internal-services/
32•mrl5•1h ago•20 comments

Launch HN: Context.dev (YC S26) – API to get structured data from any website

https://www.context.dev
15•TheYahiaBakour•46m ago•14 comments

PostHog Open Sourced

https://github.com/PostHog/posthog-foss
67•thatxliner•1h ago•36 comments

The glass backbone: Why the Army's logistics will break in the next war

https://mwi.westpoint.edu/the-glass-backbone-why-the-armys-logistics-will-break-in-the-next-war/
86•baud147258•2h ago•93 comments

Opinionated and Easy Pi.dev Configuration

https://lazypi.org/
22•lwhsiao•55m ago•10 comments

A Possible Future for Damn Interesting

https://www.damninteresting.com/a-possible-future/
17•mzur•49m ago•0 comments

Hy3

https://hy.tencent.com/research/hy3
27•andai•47m ago•11 comments

AI Content Is Everywhere on Social Media, Especially LinkedIn

https://www.pangram.com/blog/ai-in-your-feed
9•mukmuk•25m ago•1 comments

Show HN: LastShelf – an emergency map of your family's documents bills& contacts

https://www.lastshelf.ai/
21•sbrown12•1h ago•7 comments

New open access book on history of computers and politics

https://mitpress.mit.edu/9780262053198/simpolitics/
18•mckelveyf•1h ago•0 comments

TrueBiz (YC S22) – Senior Software Engineer – Remote (US) – Full-Time

1•dannyhak•4h ago

Meta reuses old RAM in new servers with custom bridge chip

https://www.networkworld.com/article/4192827/meta-reuses-old-ram-in-new-servers-with-custom-bridg...
211•ihsw•5d ago•137 comments

Introducing Muse Spark 1.1

https://ai.meta.com/blog/introducing-muse-spark-meta-model-api/?_fb_noscript=1
145•ot•2h ago•97 comments

Coordination Without Consolidation: On Systems of States [pdf]

https://isonomiaquarterly.com/wp-content/uploads/2026/06/iq-4.2-summer-2026-macdonald-coordinatio...
7•brandonlc•55m ago•1 comments

What is Bending Spoons? The little-known AOL and Vimeo owner that's now public

https://techcrunch.com/2026/07/05/what-is-bending-spoons-everything-to-know-about-aols-acquirer/
16•jack1689•3d ago•11 comments

Spider venom kills varroa mites without harming honeybees

https://connectsci.au/news/news-parent/9703/Spider-venom-kills-varroa-mites-without-harming
238•Jedd•11h ago•102 comments

US seeks cheaper hunter-killer drones after Iran destroys $1B worth of Reapers

https://arstechnica.com/gadgets/2026/07/us-seeks-cheaper-hunter-killer-drones-after-iran-destroys...
141•rbanffy•2h ago•168 comments

Show HN: Analog Watch

https://analog.watch
39•ezekg•1h ago•38 comments

Show HN: FableCut – A browser video editor AI agents can drive (zero deps)

https://github.com/ronak-create/FableCut
69•ronak_parmar•2h ago•43 comments

Maxwell's Equations Were Discovered [video]

https://www.youtube.com/watch?v=-hua8RWopfw
20•surprisetalk•1h ago•6 comments

How to Write an Email

https://blog.dannycastonguay.com/how-to-write-an-email/
8•speckx•48m ago•5 comments

A Road to Lisp: Why Lisp

https://scotto.me/blog/2026-07-09-why-lisp/
21•silcoon•3h ago•10 comments

John Deere owners will get the right to repair equipment under FTC settlement

https://apnews.com/article/john-deere-right-to-repair-agriculture-equipment-cb7514ffedb95c130a976...
1220•djoldman•16h ago•252 comments

Transparency efforts behind the Helium Browser

https://helium.computer/blog/transparency
20•twapi•2h ago•12 comments

How version control will evolve for the agent boom

https://entire.io/blog/how-version-control-will-evolve-for-the-agent-boom
35•tapanjk•3h ago•45 comments

Why we're moving off Cloudflare Durable Objects

https://usewire.io/engineering/why-were-moving-wire-off-cloudflare-durable-objects/
9•jitpal•1h ago•0 comments

Syria's solar boom is redefining Middle East's energy model

https://www.thenationalnews.com/business/energy/2026/07/06/syrias-solar-boom-is-redefining-middle...
62•littlexsparkee•2h ago•15 comments