[hnbear]

I thought about the cert thing here too.

I own a domain and internally use local.domain.com for all internal sites. Wildcard and specific names.

I can generate certs using ACME/LetsEncrypt.

So, everything, including test sites could be on that domain.

For reference, I use PiHole and OpnSense, and internally machines in DHCP and static IPs get local.mydomain.com resolution too.

[jeroenhd]

You can generate valid certificates for the domains you own and make the DNS point at anything you like. It's quite a pain for a dev setup (LE certificates only lasting three months, so long enough to forget about your setup but short enough that you'll need to keep running it).

In this specific case, it's about, a bunch of generic domains set up by other people.

In your pihole example the situation would be even better because you don't need to publish A records for the domains anywhere. That means nobody can abuse your domain for fingerprinting workarounds but you still maintain complete control.

[hnbear]

Yeah, it definitely introduces friction and setup cost.

OpnSense has an ACME plug-in to auto-renew, and can trigger jobs. In this case I have it renew and push certs to servers so they’re always renewed.