Photo of Terence Eden. He has a beard and is smiling.

Should you use Let's Encrypt for internal hostnames?

· 29 comments · 500 words · Viewed ~34,959 times.

Julien Savoie has written a brilliant post explaining how you can enable https on your intranet.

This is useful for several reasons. It means your employees aren't constantly fighting browser warnings when trying to submit stuff internally. All your http traffic is encrypted. You don't need to install a self-generated root certificate on devices. Lovely!

But there's a downside. Every TLS certificate created by Let's Encrypt is recorded in a Certificate Transparency log. These CT logs are primarily to detect maliciously or mistakenly issued certificates. For example, you can look through them and see that someone unauthorised has created a cert for your domain - or its sub-domains.

But there is a downside. The CT logs are public and can be searched. Here's all the certificates issued for Twitter's sub-domains.

There are a few ways that this can be dangerous for use with internal services.

Firstly, it aides reconnaissance for attackers. Having a "map" of your internal infrastructure is useful. Especially if you have "obviously" named servers like exchange.example.com or customerdata.example.com. Also handy for social engineering - who else but someone internal would know that gandalf.example.com was a valid server?

Secondly, it might expose some vulnerabilities - depending on how you name things. Let's hope you don't have log4j.example.com!

Thirdly, there's the potential for espionage. Do you want your competitors knowing that you've got olympics-campaign.staging.example.com?

I'm sure you can think of a few other ways this could be used for mischief and mayhem.

As I wrote a few years ago, "There's no HTTPS for the Internet of Things". Internal networks which only have IP addresses cannot use TLS certificates. OK, so you decide to have an internal DNS - now the whole world knows you have doorbell-model-xyz.myhome.example.com!

The only real answer to this is to use Wildcard Certificates. You can get a TLS certificate for *.internal.example.com

This requires setting up a DNS-01 Challenge - which can be more difficult to configure and has some non-obvious risks. And, sadly, Wildcard certificates come with their own difficulties.

Recap

I don't think there's a good solution to this.

  • Self-signed certificates require something to be installed on all clients. Not always possible with BYOD.
  • Named LE certificates expose details of your infrastructure which you may wish to keep private.
  • Wildcard certificates require a heightened level of co-ordination and management.

These problems have all been discussed before. But I can't help but wishing that there was something obvious I'm missing.

How would you solve this knotty problem?

Share this post on…

29 thoughts on “Should you use Let's Encrypt for internal hostnames?”

  1. Sikander says:

    Wow, I didn't know of the Certificate Transparency Log!

    That's cool, but also a bit surprising that it's not something most people would be aware of when signing up for Let's Encrypt free certificates.

    Reply

    1. Alex Chamberlain says:

      FWIW, most public CAs post certificates to a CT log. It's not a feature of Let's Encrypt.

      Reply

      1. Sikander says:

        Ah, in that case the heading can be modified to: "Should you use any public CA for internal hostnames?"

        Reply

  5. Patrick Smears says:

    Is there such a thing as a "CA certificate restricted to signing subdomains of a certain domain"? That seems like it might be a useful piece in the puzzle: if LE could issue those (with the same validation as for wildcard certificates), then you could make your own (valid) certificates for your devices, without them appearing in the transparency logs. That may seem a bit dangerous, but it's not really any more dangerous than a wildcard certificate in the first place. And there are still downsides - but it might be a good fit in quite a few cases. If it's possible 😉

    Reply

    1. sthen says:

      @Patrick: There is such a thing, name constraints, but there are problems. It relies on the client to check and while it's better supported now than it used to be, I bet there are some important things that don't use it, so nullifying the constraint. Also it only applies to subjectAlternativeName not the names in CN. While a CA can enforce that SAN is used in certs that it signs directly (indeed this is part of the CA/B forum requirements) that's not the case with a subCA. Similarly some other things enforced by the CA (validity is a big one) could no longer be enforced as a subCA.

      Also the requirement to publish ct logs is still there.

      Basically there needs to be a lot more trust in somebody to operate a subCA (even restricted by name and path length constraints) than any type of host certificate (whether that's wildcard or for an individual server).

      Reply

  6. Dave Cridland says:

    You're quite right that Certificate Transparency has information leakage that can be a security risk in multiple ways.

    Wildcard certificates also present the problem that - obviously - they're no longer specific to a particular service or even host, and that means sharing the private keys about, and that in turn means heightened risk. Given the outcome of compromise with a wildcard certificate is worse too, I'd advise avoiding wildcard certificates.

    Instead, I'd go for a private CA - not self-signed certificates, but an actual, honest to goodness private X.509 infrastructure. For an organisation, that's not too dramatically painful, and the CA can be limited to only your org's domain (with Name Constraints, now apparently supported in some places). "Bring Your Own Device" doesn't (and shouldn't!) mean "Do Whatever You Want On Your Own Device When Using It For Organisational Work", so installing the trust anchor (CA certificate) shouldn't be seen as an onerous task, as long as Name Constraints preclude abuse.

    For purely internal services which can only be reached inside the network, it feels like there should be a way of handling the trust anchor via either the VPN or DHCP, but I'm not sure there is - but there is via MDM software (though those are not ideal with BYOD). Still, even where Name Constraints haven't been used, I've found a private CA a one-time task that's easy to talk people through. Once in place on the client device, it "just works", providing the security of a public CA without the downsides.

    In short, I think the focus on addressing this problem should be in making private CAs simpler to manage on client devices, instead of trying to use public CAs (with CT leaking information) or wildcard certs (with heightened risk), and other poorer solutions.

    Reply

    1. sthen says:

      @Dave: remember you can have more than one wildcard cert, each with a different key. So one possibility is to use various certs like *.randomstring.example.org, then ct logs won't have a directly useful name, while avoiding shared keys. If it needs to be typed by a human then for at least https you could have one server trusted with a key for *.example.org issuing http redirects to the "hidden" name. By no means perfect, but it can be useful in some cases where a private CA is just too difficult.

      Reply

  9. Xzenor says:

    Why not just use an internal CA? Sure you'll have to deploy your CA to the trusted Certificate Authorities of all your machines but it works and you only have to do that once. Or maybe twice as some browsers have their own store..

    Works just great 👍🏻

    Reply

  10. Randall says:

    Some cloud providers (Amazon and Google at least) provide a private CA feature, for a fee. At least Amazon also has their own way to provision LE-like free certs for their own resources (ELBs, etc.) that are valid on the public Internet (and logged to CT).

    An independent but also interesting practice I've seen is a totally distinct domain for internal stuff; for example, maybe the public site is acme.tv and internal stuff is at acmeinc.net. Whatever your cert practices are, that separates stuff like webpage origins and email-related DNS entries between prod and internal, which might impede/slow down efforts to use a bug on one side to impact the other.

    Reply

  12. Max Truxa says:

    The by far best solution to these problems:
    Deploy a private ACME CA like step-ca ( https://smallstep.com/docs/step-ca) and install the private root on all devices. Now you got your own private "LE".
    As others have already stated, installing a company root cert on all devices should not be a problem, even with BYOD.

    Reply

  14. CW says:

    I use a reverse proxy for internal and external access with a wildcard. Internally I point the cosmetic dns names to the reverse proxy host. Those names match the external dns name so whether I'm at home or out and about I only need to use 1 name to access my services.

    Reply

  16. Liam Ayr says:

    Internal hosts are frequently referred to by shortname. so appserver.example.com being an internal host is only referred as 'appserver', not using an FQDN.

    The problem then arises that any certificate must contain the short name to match the user typing https://appserver
    If the certificate does not contain that name but only appserver.example.com then you get a name mismatch error. It will only match if the user always presents a FQDN as the URI. Uncommon in corporate environments and a usability compromise.
    A public CA such as LE won't accept a cert request using 'appserver' as the name as it's not globally unique. Public CAs only assert the identity of globally unique identifiers.

    The right way to do this for internal sites is an a private internal CA. Many many products and solutions available to do this. I like the simplicity and flexibility of openssl in this regard.

    Reply

  18. AlisonW says:

    I've gone the internal CA route in the past. Because they don't require from-external access the need to accept the internal-root certificate for each machine is a one-time thing.

    Reply

  20. says:

    What we need is a Shadow CA service for all reserved domains:
    .home, .internal, .corp..

    What do I mean a "Shadow CA". Similar to a Shadow DOM; it only "really" exists at an edge endpoint, hiding the internal structure.

    A Shadow CA is basically a clone of Let's Encrypt, but:
    - never signs any public internet names
    - assigned ONE, unique identifier per level
    - OS/browsers can trust the CA, or at least IT only have to install 1 certificate ever
    - Chain your self-signed CA at ca.mycompany.corp to the Shadow CA and bada bam bada boom

    For now, by running your own root CA now and having your own chained CA, you can at least get down to just installing one certificate.

    For installing one certificate, at least this much can also be automated with signed software.

    For the beginning developer that is still quite a hurdle.

    Reply

  21. Garet says:

    Ah, some missing text


    assigned ONE, unique identifier per level to each organization or individual


    In other words; you can't buy multiple domains.
    you can have one .home, one .corp, one .internal

    If you want to authorize further custom craziness, you can chain it but it will only be valid for users of your custom infrastructure.

    Reply

    1. James says:

      You might need to make this a part of DHCP or something, so that I can set up a malicious Cert.

      Reply

Trackbacks and Pingbacks

  1. :

    Here is a record of weekly tech content worth sharing, published on Friday. ( [Notice] Next Friday and Monday, the weekly magazine will be suspended once. ) This magazine is open source (GitHub: ruanyf/weekly ), welcome to submit issues, contributions or recommend scientific and technological content. Weekly discussion forum post “Who’s Hiring? “ , provides a lot of programmer employment information, welcome to visit or post job/internship positions. cover picture A British company is promoting the body chip, and the woman in the picture uses the body chip to pay. This chip was originally used to automatically open doors for disabled people, and was later extended to normal people. ( via ) Topic of the week: How to survive the pandemic, layoffs, and war There has been a lot of bad news recently, including epidemics, layoffs, and wars. As soon as the group and circle of friends were opened, these things were forwarded, and many people’s moods were affected. Talk about my thoughts today. Many netizens sent private messages to ask me about my current situation in Shanghai. I didn’t reply, I always felt that there was nothing to say about life in isolation. The community has been closed for a month, and I can’t get out. I go downstairs to make nucleic acids and collect materials. These things are not worth detailing. In my opinion, the correct attitude towards these things is three words: let it go , English is called let it be. Don’t worry about these things, the reason is very simple, they are completely beyond your ability, you can’t influence them at all, no matter how far things develop, you can only accept them. Even if you feel pain and distress, will it change the situation? Our time is precious, not for the things you can’t change, but for the things you can. An American theologian once wrote a famous prayer : “Give me the strength to change what can be changed with all my strength, to accept with equanimity what I cannot do, and to have the wisdom to distinguish between the two. “ When the epidemic will end and the community will be unblocked, there is nothing you can do. Instead of worrying about this kind of thing, just leave it alone. It is rare to have such a sudden stop in life, don’t waste it, read a little more, learn a little more technology, it is more useful than anything, and when life returns to normal, they can help you. In August 1665, the University of Cambridge was closed due to the plague pandemic, and the students went home. A 22-year-old student returned to his hometown in the countryside and stayed out of the house for 18 months. He studied hard and did experiments. Finally, he proposed a whole new set of theories, which completely changed the scientific progress of mankind. This student is Newton. The epidemic is a disaster, but if you can make good use of this time, it may become an asset in your life. Layoffs should also be viewed in the same way. This time, layoffs in some industries (real estate, education and training, and the Internet) are industry-wide contractions, not employees’ problems. The industry’s problems are beyond your personal efforts. If a company cuts down entire departments and lines of business, the best employees in it will inevitably suffer. Don’t be discouraged and anxious, let alone doubt yourself, since things have happened, all you can do is let it go, don’t spend your time sighing and cynical, but keep learning, hone your skills, and wait until the industry picks up. will be rewarded. If you think about it this way, the reason why these industries shrink is because the market demand in the early stage is strong and the expansion is too fast. This shows that their market demand is real, and as long as the market demand is still there, there is room for development. Finally, I would like to give you two words, which are all in my opinion. If you also have a lot of free time because of the epidemic, it is recommended to come and have a look. The first sentence is from “Zeng Guofan’s Family Letter”. Zeng Guofan’s life was not smooth, and he didn’t start until he was 50 years old. He wrote many letters to his younger brother, and repeatedly taught his younger brother to be able to withstand setbacks and to be calm. He said that life should be “four resistant”: ” tolerant to cold and hardship, hard work and leisure .” I think it is really good to say, it is very suitable for the current epidemic period. The second sentence is from the classic Japanese drama “Long Vacation”. This TV series was filmed 20 years ago, and it is not out of date to watch it now. It tells the love story of two hapless young men who meet and inspire each other. Its title is taken from a sentence that the hero said to the heroine: “When things go wrong in life, you don’t have to sprint hard, just treat it as a long vacation given by God, and enjoy this vacation. Suddenly a day of vacation ends. , Time turns, and life really begins.” Computer Master’s Postgraduate Training Camp The training camp for computer postgraduate entrance exams introduced last month is now open again this week. This year’s employment situation is severe, and a master’s degree in computer science is indeed helpful for finding a job or changing industries, so the number of applicants will hit a new high. According to the current situation, the number of applicants next year is only a lot more. If you are planning to take the postgraduate entrance examination, or have not made up your mind yet and want to seek expert advice, you can sign up for this training camp. Next year’s postgraduate entrance examination is actually very close, and we will register in September and take the exam at the end of the year. The contents of the training camp are all things that you must know about the postgraduate entrance examination, such as the process and trend of the postgraduate entrance examination, how to prepare for professional courses, politics and English. The whole course is divided into four live classes (including recorded content), the arrangement is as follows.
    Day 1: Postgraduate planning class Lecturer Liu Shuo (graduated from Tsinghua University, New Oriental has more than 10 years of experience in postgraduate entrance examinations), introduced how to choose a major for a master’s degree in computer science, examination subjects and scores, employment prospects, etc. Day 2: Computer Science Class The lecturer, Li Chao (Master of Computer Science from Harbin Institute of Technology, winner of ACM ICPC Asia Silver Award, former Huawei and Alibaba engineer), introduced how to get a high score of 120+ points in professional courses and review strategies for four professional courses of 408 (computer unified examination number). Day 3: Politics class The main lecturer, Zhong Ruo (the leader of the political subject for postgraduate entrance examinations, with a total of 6000+ hours of teaching), introduced how to get rid of rote memorization and quickly grasp the key points of political review. Day 4: English class The main lecturer, Zheng Yiyi (leader of the English program of the course bar, former senior lecturer of English for New Oriental Postgraduate entrance examination), focuses on how to deal with English reading and review methods for difficult English problems.
    In addition to the live class, the organizer “Let’s Start” also provides a three-in-one tracking service of lecturers, teaching assistants, and class teachers to answer your questions throughout the process. At the end of the training camp, there is also a big data AI system, which can help you choose a school and a major accurately based on the score line and application situation over the years, and tailor the preparation plan. Whether you are applying for an academic master’s, a professional master’s, or a part-time master’s degree, you can listen. Considering that some students are not from the computer science class, they will also take care of these students during the lecture, and answer how to prepare for the postgraduate entrance examination with zero foundation in inter-professionalism. Weekly readers pay a registration fee of one yuan to attend the class, and they can also Receive valuable data packages such as computer test syllabus, past real test materials, and political/English test preparation materials . Scan the QR code above on WeChat to learn about the course details and register. After paying the registration fee, the teaching assistant QR code will pop up. Don’t forget to add the teacher’s WeChat account to receive the course. Technology trends 1. Canopy of ancient buildingsScotland is a rainy region, with an average of more than 190 rainy days per year. This took a toll on a local century-old building, where the cement became brittle and crumbled by the rain. In order to protect the four-story building, the local government built a huge canopy, the outer layer is a steel ring, forming a transparent net, a total of 32.4 million steel rings were used, just like a The largest armor in the world. The advantage of this design is that it can maintain natural ventilation without sacrificing views, and visitors can still view the building from a distance, which is worth learning from. 2. Magpie TrackerAustralian scientists put trackers on magpies to study their behavior. However, the power of the tracker is limited, and it will run out in a few days. How can I charge the tracker? Scientists have come up with a clever solution, designing the tracker to charge wirelessly and then spilling food all over the charging pad. When the magpie eats, it automatically charges and downloads data. When needed, a powerful magnet is put in place, which will tear off the tracker’s straps, releasing the tracker. Flying motorcycleA French company has made a motorcycle that can fly like a sci-fi movie. Its front and rear wheels each include two tires, which can drive normally on the ground like a motorcycle. In flight, the four tires can also be raised, turning into horizontal propellers. Combined with a jet engine, the motorcycle becomes an aircraft. The price of this motorcycle is as high as 560,000 US dollars (about 4 million yuan). Toner cartridge chipPrinter toner cartridges have chips that detect if there is a shortage of toner and if the toner cartridge is genuine. Due to a global shortage of chips, Canon is now shipping toner cartridges without chips. Without the chip, after the toner cartridge is inserted into the printer, the system will pop up a warning, indicating that it may not be genuine. Canon had to post a tutorial on its official website to teach users how to turn off anti-counterfeiting detection. VegaboardA company in California, USA, invented a display board called Vegaboard. Users send it a text message from a mobile phone or computer, and it displays when it receives it. What makes it special is that this is not an electronic device, but a mechanical one. Each character is a flip device that supports 8 colors. It can be hung on the wall and act as a notice board, the company says. The question is, why don’t users just hang a TV, but hang this thing? It has limited features, and at a whopping $2,850, it’s much more expensive than a TV. article 1. How HTTPie lost 54,000 Stars (Chinese) HTTPie is a very well known open source project with 54,000 stars on GitHub. A project administrator accidentally made it a private project, causing all stars and watches to be zeroed out and not recoverable. HTTPie officially wrote a long article , reviewing the whole thing and summarizing the lessons. This article is a Chinese translation. (Contributed by @yangchuansheng ) 2. The career path of an EU fresh graduate (English) This is an article written by a European who graduated as a software engineer with a master’s degree and interviewed more than a dozen Internet companies. He recorded the application process for each company, as well as the salary given. Here you can learn about the state of the Internet industry in Europe. 3. The first 10 lines of code in the Twitter HTML page (English) When the author interviews front-end programmers, he often opens the source code of Twitter’s HTML page and asks the candidate to explain the purpose of each line of the first 10 lines of code (above). 4. How the USB interface was born (English) In the early 1990s, an engineer at Intel wanted to find an easy way to add external devices to a computer that could be plug-and-play and still provide power. This article describes some of the circumstances at that time. 5. When you are sad, the computer sends a picture of a cat (English) This article introduces a small project by the author that uses a camera to identify user emotions. If you find that you are in a bad mood, it automatically pushes a photo of a cat on your iPhone. All operations are local and there is no risk of data leakage. 6. We have 80TB of traffic and 5 million page views per month for less than $400 (English) The author describes how to support a huge traffic website with services such as Cloudflare, Backblaze, Bunny.net, etc. at a cost of $400 per month. 7. Raspberry Pi builds PyPi server (English) The author demonstrates how to build a PyPi server with Raspberry Pi to download various packages of Python when offline. If you don’t know how to play with Raspberry Pi, you can read this article. 8. Should Let’s Encrypt be used in the intranet? (English) Let’s Encrypt is generally used to generate free HTTPS certificates, but it has a problem: once used, the hostname can be found by the outside world. 9. Five tips to improve the health of your Postgres databasePostgres databases are becoming more and more widely used, and this article summarizes five tips to improve the health of your database. tool 1. Navidrome Music ServerAn open source music streaming media server that provides a web management interface that can be used to manage your own music files. 2. BookStackA PHP station software similar to WordPress, mainly used to organize notes and knowledge management, and provide a directory-style page structure. 3. JSON VisioAn open-source JSON visualization tool that converts JSON data into a treemap display. 4. StarshipThis software customizes the prompts (prompt) of various command line environments. It is highly configurable and can customize hundreds of parameters. It supports various common command line environments such as Bash, Zsh, Fish, and Powershell. 5. MailwindA command-line tool that converts web pages using Tailwind CSS into email-specific web pages, saving you the trouble of styling emails. 6. CodeTerminalA standalone terminal emulator split from VS Code. (Contributed by @xcodebuild ) 7. TSRPCAn RPC framework designed for TypeScript, verified by millions of users. It is suitable for scenarios such as HTTP API, WebSocket real-time applications, and NodeJS microservices. (Contributed by @simlePig ) 8. Picture beautifierA web widget that can add a background frame to your image and add a title. (Contributed by @shfshanyue ) 9. EoapiOpen source API management and testing APP. (Contributed by @scarqin ) 10. LayoutA command-line tool that can render Graphviz files into SVG images. resource 1. SVG SilhThere are tens of thousands of SVG image libraries in total. 2. Open academic journal search engineThe search engine for scientific papers, there are currently more than 6 million articles. 3. Device InfoA web tool that displays all the user device information that the browser can collect, such as battery, microphone, bluetooth, etc. 4. Introduction to Operating Systems (English) Operating Systems: Three Easy Pieces is a free introductory operating system tutorial and a highly rated book. 5. Pixel picturesTakashi Maeda, the former art director of Nintendo, made a website that provides a large number of pixel images, with classification and search, and can be downloaded and used for free. picture 1. Probability of adverbsIn 2018, two American data scientists wanted to know what the probability is in mind when people use adverbs to express degrees, such as always (always), likely (probably), and often (often). They did a questionnaire and asked people to fill in the probability of each word, and got the following results. According to the above figure, different people have very different probability of understanding the same adverb. For example, when they hear the word “Probably”, some people think that the probability of occurrence is 50%, and some people think that it is higher than 80%. Therefore, when you want to express accurately, you should minimize the use of these adverbs. 2. Wall paintings on the outside of the buildingA Russian artist specialises in painting surreal illusion murals on the facades of buildings. This is the building before the painting. This is the building after painting. Only one of the air conditioners is real, if you don’t say it, can you identify it. abstract 1. The price of high intelligence Swedish biologist Alexander Kotrschal once conducted an experiment to find out whether differences in brain size affect the intelligence of animals. His subjects were small fish called guppies, and he picked out individuals with abnormally large and small brains as a control group. On average, the difference in brain size between the two groups of guppies was about 9 percent. After grouping, the biologists began to train them to distinguish symbols. It turns out that big-headed guppies are more intelligent than small-headed guppies, which means that the size of the head does have an impact on the animal’s intelligence. However, high IQ comes at a price. Bighead fish have smaller guts and fewer offspring. The brain is an expensive energy-consuming organ, for example, the human brain only accounts for 2% of body weight, but consumes 20% of its energy. Many scientists believe that in order to have a larger brain, the rest of the body must be shrunk, and that’s what Kotschall found in guppies. What’s more, large-headed guppies produced 19 percent fewer offspring than small-headed guppies. So it can be said that the price of cleverness is that you may give up reproduction, because reproduction is also an energy-intensive activity. This fits a pattern seen in other animals. Among mammals, the most intelligent primates and cetaceans (whales and dolphins), fertility rates are also unusually low. Humans, in particular, have the largest brains and the fewest offspring among primates. “Our findings suggest that the reduction in the number of offspring may have been a major cost of the evolution of larger brains in primates, especially hominids ,” Kotschall said. Will the brains of highly intelligent animals become so large, consume a lot of energy, and reproduce so slowly that this will lead to their extinction? If a species is to survive, the advantages offered by a larger brain, such as a higher IQ, must outweigh the decline in offspring. speech 1, Your work will take up a large part of your life, so there is only one way to truly satisfy yourself in life, and that is to do the work you feel is worthwhile. — Jobs2, If McDonald’s were like a contemporary software company, when there was a bug (like a spoiled hamburger), the McDonald’s response would have been: “I’m so sorry, as compensation, we’re giving you two coupons.” –Mark Minassi3. The idea of ​​surfing is interesting. You challenge nature with a small board and say, “I want to ride on top of you!” Sometimes nature doesn’t care and lets you ride for a while. But more often, nature says “No, it’s not like that!” and knocks you under the spray. — “Your Career”4. In the Internet age, the key to business success is not to master supply, but to master demand. You have to have a direct relationship with your customers, and if someone gets in the middle, your customer acquisition costs will keep going up and your profits will drop. One example is Google paying Apple about $9 billion a year just to make Google the default search engine on iOS. — “Mastering Needs”5. If one day all the documentation and design drawings disappeared, we would still have an advanced industrial civilization, because well-trained engineers are the source of technology. But if the engineers disappear, no amount of documentation and drawings can save us, just as the ancients couldn’t build a car with drawings. So instead of viewing intellectual property and tools as the ultimate goal of technological progress, we should focus on developing better scientists, engineers, and technologists. — “Bring Silicon Back to Silicon Valley Again”this week in history 2021 (Issue 153): Is Machine Translation an Insult to Translators?2020 (Issue 101): The Internet is no longer scarce2019 (Issue 50): “Time for Income” is a trapsubscription This weekly magazine is published every Friday, and is updated simultaneously on Ruan Yifeng’s web log and WeChat public account. Search for “Yifeng Ruan’s web log” on WeChat or scan the QR code to subscribe. (Finish) document information Copyright statement: Free to reprint – non-commercial – non-derivative – keep attribution ( Creative Commons 3.0 license ) Date published: April 22, 2022This article is reproduced from: http://www.ruanyifeng.com/blog/2022/04/weekly-issue-204.html This site is for inclusion only, and the copyright belongs to the original author.

  2. :

    […] There’s no need to get a publicly signed certificate as long as all Global Protect clients trust the FreeIPA (root) CA. A nice bonus is not having to permit inbound HTTP-01 traffic, which in Let’s Encrypt’s case is cloud-hosted (what else is hosted there?). Or exposing internal domains, see: Terence Eden’s Blog – Should you use Let’s Encrypt for internal hostnames? […]

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">