OK, there’s been a minor delay in wildcard support at Let’s Encrypt. But, i’d rather a delay than an insecure cert. So keep up the good work!
Now, I use Let’s Encrypt for a variety of purposes here at mi casa. All the public web sites I run from home use a cert (the blog, git, nextcloud, router-web-luci, …). But to date I’ve not really been able to use it for internal-only things (e.g. the BMC on my SuperMicro motherboard, those somewhat wretched Hikvision cameras, etc.). And the reason is, I don’t expose them to the Internet, so I cannot (simply) expose them to the Let’s Encrypt infrastructure (and some of them use TLS but not for HTTP, e.g. MQTT). Now, I could use a DNS wildcard, have a bastion host pretend to be them, sign, move the certs, … Perhaps.
But, with the advent of wildcard, I can sign a wildcard for all the miscellany IoT widgets that wander my halls. Its better than ‘snake oil inc’ self-signed certs, although not infinitely strong (e.g. if I lose that wildcard, all devices go).
I had considered running my own CA internally, which is an approach a lot of companies use. But, running a CA is hard (when doing it right). And then, well, what other devices would I need to trust my CA? Would my Chromecast need it to get to my NAS? But I cannot add a private CA to the Chromecast. So that idea struck out, its left on the dustbin of history.
So, if you are not currently using TLS for something, get on it, the good folks at Let’s Encrypt have made it easy and cheap. And, lets all look forward to a great implementation of free wildcards and thus more secure Sous-Vide‘s!
Leave a Reply