[stackghost]

>so still no way to support TLS for LAN devices without manual setup or angering security researchers.

Arguably setting up letsencrypt is "manual setup". What you can do is run a split-horizon DNS setup inside your LAN on an internet-routable tld, and then run a CA for internal devices. That gives all your internal hosts their own hostname.sub.domain.tld name with HTTPS.

Frankly: it's not that much more work, and it's easier than remembering IP addresses anyway.

[tosti]

> run a CA

> easier than remembering IP addresses

idk, the 192.168.0 part has been around since forever. The rest is just a matter of .12 for my laptop, .13 for the one behind the telly, .14 for the pi, etc.

Every time I try to "run a CA", I start splitting hairs.

[stackghost]

No, what I'm saying is

1. Running a CA is more work than just setting up certbot for IP addresses, but not that much more

And that enables you to

2. Remember only domain names, which is easier than ip addresses.

I guess if you're ipv4 only and small it's not much benefit but if you have a big or bridged network like wonderLAN or the promised LAN it's much better.

[cpach]

There’s also the DNS-01 challenge that works well for devices on private networks.