However, given that allowing private IP resolution from a public DNS subdomain facilitates DNS rebinding attacks, it (and all equivalent approaches) will unfortunately be blocked by quite a few of the more sophisticated home routers out there, including a quite common brand in Germany.
Nice, thanks for sharing this. I use sslip.io but they do not provide TLS certificates, so acme v1 validation is required using a wan IP address and ensuring router port forwarding or cloudflare tunnel etc is running. This magic domain is so much easier.
I don't think this is actually compatible with the browser security model – specifically, CAs are required to revoke certificates for known-compromised private keys, according to point 4.9.1 here: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...
However, given that allowing private IP resolution from a public DNS subdomain facilitates DNS rebinding attacks, it (and all equivalent approaches) will unfortunately be blocked by quite a few of the more sophisticated home routers out there, including a quite common brand in Germany.
Also, doesn't publishing a privkey for a public TLS certificate theoretically require it to be revoked under common browser CA standards...? Let's Encrypt seems to support it, at least: https://letsencrypt.org/docs/revoking/#using-the-certificate...