| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by AdamJacobMuller 1955 days ago

> - Make the device use an ACME server to provision its certificate. The device must be publicly accessible so the ACME server can reach it.

Not really. The most common challenge is DNS which doesn't require the ACME servers to be able to connect to the subject via HTTPs.

Probably the gold standard for how to do this is how Plex implemented it: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...

Not exactly trivial but definitely not impossible.

1 comments

stefan_ 1955 days ago

As the Plex docs notice, this is still broken: if your DNS server filters local network IP addresses as a form of some voodoo DNS rebinding "protection", this doesn't work.

link

AdamJacobMuller 1954 days ago

Still the best way of doing it IMO, even if not perfect.

And, this wouldn't affect this situation, since, you're doing it with external IPs for external clients.

link

Demigod33 1955 days ago

Don't embedded devices fix the DNS-server to a specific one? Worst case the provider fixes it to their own. That has downsides too though.

link

AdamJacobMuller 1954 days ago

The DNS queries in question are on the clients, not on the server.

link