|
I'm not sure you can trivially "dropbox" TLS because unlike dropbox, every application you use TLS certificates with needs to be aware of how to load and find and (potentially) acquire/renew them in the first place. Unless you are going to "dropbox" literally every TLS-enabled FOSS app you could want to run, and automate their deployment and renewal. Or you could centralize on a tool like like stunnel to literally terminate all TLS connections but this comes with its own flaws (e.g. annoying protocols like IMAP upgrade the connection from plaintext to TLS "in situ" via STARTTLS.) But if you just use a single TLS terminator and wrote some glue for it, sure, it might work for a reasonable amount of stuff. "Dropboxing" the whole stack is basically just another way of saying "I am going to make a turnkey software appliance" and most people won't want it. Someone else proposed things like DHCP servers announcing a local CA and self-signing. Aside from circling around to where you started at (how do you know the DHCP server is not hostile a priori without landing back at stage 1?) it would also require massive extensions to all kinds of software to work. You're going to get pushback on this without extremely good reasons, even if it wasn't a shitload of work, so it's practically unviable. (Alternatively you have people who actually believe things like "Just typing in a 40-character base64 pubkey is _obviously_ the solution" or whatever when most people just want a nice fun hostname for themselves.) Here's what I do. Just put your local (firewalled) network IPs in an set of records on a zone you own, and then use LetsEncrypt's DNS challenges to issue a cert for them. Then put the cert where-ever you want. Done. e.g. enter an A record for service1.a-domain-i-own.dev that points to 192.168.1.XXX (or 172.X.X.X, or 10.X.X.X, whatever) which is a local-only subnet. Issue a DNS challenge to LE for this record using whatever tool you like. It does not need to contact the service, it only needs verify a corresponding TXT record. Then you can just take the resulting certificate and put it on your router, your server under your desk, whatever. Use the domain name as usual while on your home network. Viola, you're done. This lets you piggyback of the existing public LetsEncrypt, DNS, and CA systems with minimal effort and time, and you don't need any software at the subnet level to manage anything, and even your appliances/game consoles/whatever (that can resolve DNS names and handle TLS) will work fine. You can do all of this with Traefik today in, like, 10 lines of configuration, not a joke. You don't have to fiddle with anything at all, almost. I use this technique on a ZeroTier network I share with many (non-technical) friends and it works completely transparently; I can just hand them a link and it's as if it was any other website, and they are oblivious to the fact it's actually "on the local subnet" |