re: Would it be possible for routers to run Let's Encrypt? VIEW POST

FULL DISCUSSION
 

I'm not really sure how that would work. The router would need to request an address for 192.168.1.1, but the LetsEncrypt servers would require proof that you own that address, but since it's a local address, they can't do a dns lookup, or send an http request to do the veriication.

 

I've since seen here that they aren't able to produce certificates that aren't a part of public DNS. So names like localhost and 192.168.x.x are currently not possible for Let's Encrypt. Do you think they'll add this in the future? Or potentially create "global" certs that any service running on a local network could use?

 

Breaking this down:
Do you think they'll add this in the future

How would you propose that Let's Encrypt validate my ownership of 192.168.1.1? They need to contact that IP address to check I own it - but their 192.168.1.1 doesn't refer to the same machine as mine.
Does that make sense?

Or potentially create "global" certs that any service running on a local network could use
So now, I open 192.168.1.1 in my browser, or let's say 10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?
Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!

code of conduct - report abuse