[maxmouchet]

One downside of using tailscale cert, or LE for "private" records is that it writes the domain name in a public Certificate Transparency Log [1]. So make sure that the name doesn't contain any sensitive information.

An alternative is to issue wildcard certificates with LE, so that the subdomains names are kept private.

[1] https://crt.sh/

[xena]

Yes, that's why we came up with the random-hex.ts.net domains and the tails-scales.ts.net domains. This makes less publicly recognizable things like `shark-harmonic.ts.net` get put into the certificate transparency log instead of something like "mycorporationname".

[ehPReth]

On a side note, is there a story behind acquiring ts.net or how much it cost to do so?

[therein]

> An alternative is to issue wildcard certificates with LE, so that the subdomains names are kept private.

They'll still show up on crt.sh, though, won't they? All my LE subdomains are visible (non-wildcard) but also my non-LE paid-for 1-year wildcard ones are also showing up with all the subdomains.

Edit: Actually, nevermind, those are Cloudflare. My paid-for wildcard doesn't show up. Well, that's a good reason to pay up I guess.

[psYchotic]

If a certificate has been issued for a domain, and that domain doesn't show up in the certificate transparency logs, that's not something I'd cheer for: that issuer could just as well hand out certificates for your domain to others without you ever knowing about it.

Conversely, if a domain shows up in the CT logs, then there have been certificates issued for those domains, even if there exists a wildcard certificate that is valid for that domain. If that happens, check your settings, because there's probably something requesting certificates you're not aware of.