I've since seen here that they aren't able to produce certificates that aren't a part of public DNS. So names like localhost and 192.168.x.x are currently not possible for Let's Encrypt. Do you think they'll add this in the future? Or potentially create "global" certs that any service running on a local network could use?
Breaking this down: Do you think they'll add this in the future
How would you propose that Let's Encrypt validate my ownership of 192.168.1.1? They need to contact that IP address to check I own it - but their 192.168.1.1 doesn't refer to the same machine as mine.
Does that make sense?
Or potentially create "global" certs that any service running on a local network could use
So now, I open 192.168.1.1 in my browser, or let's say 10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?
Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I've since seen here that they aren't able to produce certificates that aren't a part of public DNS. So names like
localhostand192.168.x.xare currently not possible for Let's Encrypt. Do you think they'll add this in the future? Or potentially create "global" certs that any service running on a local network could use?Breaking this down:
Do you think they'll add this in the future
How would you propose that Let's Encrypt validate my ownership of
192.168.1.1? They need to contact that IP address to check I own it - but their192.168.1.1doesn't refer to the same machine as mine.Does that make sense?
Or potentially create "global" certs that any service running on a local network could use
So now, I open
192.168.1.1in my browser, or let's say10.45.214.12. I get back a valid Let's Encrypt TLS certificate for that IP. I'm certain that I'm talking to the machine on my LAN, or corporate WAN, with that IP address, right?Not quite - how do I know someone hasn't rerouted the traffic to a machine they control - say some kind of hacker who already has a foothold in the network.
If Let's Encrypt publicly post private keys and certificates for all the private IP addresses in existence, I can never be sure if I'm talking to the machine I want to talk to, or another machine that happens to have the same private key downloaded from Let's Encrypt!