zlacker

[parent] [thread] 11 comments
1. vbezhe+(OP)[view] [source] 2025-03-26 11:36:13
I don’t think you can issue proper cert for a private IP. So using dns host name is the only option.
replies(2): >>CableN+w3 >>szszrk+Ri
2. CableN+w3[view] [source] 2025-03-26 12:07:31
>>vbezhe+(OP)
If you control an internal CA you can make certs for anything. I have one for my homelab, and even have a few certs issued for my homelab, which are not for domains i control as well as certs with IPs. The CA is who says you cant do those things, and yes its generally agreed upon for the public internet, certs shouldnt have IPs in them, but if you are operating internally theres nothing stopping you.
replies(4): >>weinzi+yd >>znpy+Od >>scienc+Vi >>szszrk+Dl
◧◩
3. weinzi+yd[view] [source] [discussion] 2025-03-26 13:11:50
>>CableN+w3
Let's encrypt public internet certs can have IPs in them.

https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/

replies(3): >>szszrk+cj >>CableN+Oj >>crtasm+XI
◧◩
4. znpy+Od[view] [source] [discussion] 2025-03-26 13:13:25
>>CableN+w3
setting up kubernetes typically involves creating a private CA, so most definitely yes, you technically can issue certificates for whatever you want.
5. szszrk+Ri[view] [source] 2025-03-26 13:46:38
>>vbezhe+(OP)
Private CA's are a thing, it's not even rare in organizations that control their hardware. There are plenty of use cases to go that route.
◧◩
6. scienc+Vi[view] [source] [discussion] 2025-03-26 13:47:07
>>CableN+w3
Which software are you using and what is the process !??
replies(1): >>CableN+gl
◧◩◪
7. szszrk+cj[view] [source] [discussion] 2025-03-26 13:49:04
>>weinzi+yd
I completely forget about that announcement. Is that already available as GA? Because that blog post was just a teaser for the whole 2025 and I can't see docs about it at first glance.
◧◩◪
8. CableN+Oj[view] [source] [discussion] 2025-03-26 13:52:38
>>weinzi+yd
Thats a pretty recent change, only 2 months ago. I wasnt aware of that, and you usually wont find that woth other CAs.

Im not sure i like the public internet with ip certs. I do it at home because sometimes dns be down and have some good internal uses. But, shouldnt be public. Imagine firing up a /24 on linode, requesting certs on every ip, then releasing the ips, and saving the certs. Another linode account would later get an ip in that range, and then you can freely mitm the linode site by ip. Im making a number of 'magical' things in between this, of course, but, it seems allowing an IP from a public CA could be a terrible thing. The only saving grace in this case is the short lifetime of the certs, however, im not a fan of that either.

As an aside, im starting to get squinty eyes relating to LE, both things they announce in that article, are things that greatly affect the internet at large. I see it as something google would pull to ensure dominance by lock-in. Sorry you can no longer change SSL providers because certs only live a few minutes now, and of course you cant afford to not have a cert or no one will see your site. Im exaggerating slightly, but these changes are not something i think should be allowed, and LE shouldve listened to everyone yelling. Sure, allow down to 6 day certs, but that will surely become the maximum soon.

◧◩◪
9. CableN+gl[view] [source] [discussion] 2025-03-26 14:02:21
>>scienc+Vi
Im just using hashicorp vault, with a multi tier CA setup. Real CA is just a docker container that stays off 99.9% of the time, and the furthest branch intermediate lives on the actual vault instance, which is used to issue certs, among other things. As long as you add your CA chain to your system and browser, they get treated as valid. I even have long term certs in some places because i dont want to change them. Public CAs max at 1 year most of the time now. I issue certs for my internal domains, and public subdomains where im only the one to use it. I use LE for the real public things.
replies(1): >>XorNot+np
◧◩
10. szszrk+Dl[view] [source] [discussion] 2025-03-26 14:04:43
>>CableN+w3
> its generally agreed upon for the public internet, certs shouldnt have IPs in them

That's a bit of a stretch to say anyone agreed on not using IP based certs. Quite the contrary. It is present in RFC 5280 and SAN can contain an IP. It's just very rare to do that, but can be done and is done. Modern browsers and OSs accept it as well.

It's nice when you need to do some cert pinning to make sure there is not MITM eavesdropping, or for example on some onprem environments where you can't fully control workstations/DNS of you user endpoints, but still want to have your services behind certs that actually properly validate.

◧◩◪◨
11. XorNot+np[view] [source] [discussion] 2025-03-26 14:26:58
>>CableN+gl
If you're running your own CA then really should just set your expiries to the maximum (49 years is practical) and never worry about it.

You don't have enough nodes for CRL size to become a problem, and if a node does get compromised you're hardly going to leave it up and running for a year (i.e. you'd obviously kill the node, and the cert is useless without control of the DNS name).

EDIT: the other direction to go of course is way shorter. Like do you need a certificate with a lifetime longer then business hours before renewal?

◧◩◪
12. crtasm+XI[view] [source] [discussion] 2025-03-26 16:19:04
>>weinzi+yd
Not yet, but coming soon.
[go to top]