HN Debrief

TLS certificates for internal services done right

  • Security
  • Infrastructure
  • Networking
  • Developer Tools

The post lays out a way to put valid HTTPS on internal services without teaching every client to trust a private CA. The recipe is a public domain, split-horizon DNS so the same hostname resolves differently inside and outside the network, ACME for certificate issuance, and a reverse proxy or WAF to terminate TLS. The appeal is obvious. Browsers and tools already trust public certificate authorities, so you get working TLS on internal names without touching client trust stores.

If you need browser-friendly TLS on internal services, start with DNS-01 and avoid split-horizon DNS unless you truly need it. If you control endpoints, an internal CA is still the cleaner long-term identity system, but only if you are prepared to distribute trust roots across every client and runtime that touches the service.

Discussion mood

Mostly negative on the post's specific design. People liked the goal of easy TLS for internal services, but saw split-horizon DNS and a WAF as unnecessary complexity, and preferred DNS-01 or an internal CA depending on whether client trust distribution was manageable.

Key insights

  1. 01

    Split-horizon DNS breaks in ordinary ways

    Split-horizon DNS fails in the boring operational corners you hit every week. Devices cache public answers before joining a VPN, Tailscale can clash with custom DNS unless MagicDNS is enabled, and multi-interface clients can pick the wrong path. That makes the design fragile even when the certificates themselves are fine.

    Treat split-horizon DNS as an ongoing client-behavior problem, not just a DNS-server config. If laptops and phones roam across networks, expect intermittent failures unless you simplify name resolution.

      Attribution:
    • EvanAnderson #1
    • thayne #1
    • selfmodruntime #1
    • JoeBOFH #1
  2. 02

    DNS-01 works without exposing the service

    DNS-01 lets you get a public certificate while publishing nothing except the validation TXT record. That changes the decision from "public cert or private service" to "public proof of control with private reachability." Commenters pointed to ACME DNS, DNS alias mode, and delegated challenge zones as ways to automate this without giving every machine full access to the primary DNS zone.

    If your main blocker is getting trusted certs onto private hosts, try DNS-01 before inventing routing tricks. Use delegated challenge zones or a small broker service so issuance does not require broad DNS credentials on every box.

      Attribution:
    • patrakov #1 #2
    • bruce511 #1
    • isomorphic #1
    • throw0101d #1
    • adontz #1
  3. 03

    Pull-based ACME reduces DNS credential sprawl

    Several comments zeroed in on the security model of DNS automation. The useful improvement in dns-persist-01 is not convenience alone. It is that a central DNS side can pull or pre-authorize challenges, instead of handing every VM or vendor push access to the whole zone. People described current workarounds with per-host webhooks, separate _acme-challenge zones, and CNAME indirection because zone-wide API keys are too coarse.

    Audit who can mutate your DNS today. If certificate renewal means broad zone credentials on many hosts, redesign around delegated challenge zones or pull-based validation before scale turns that into permanent risk.

      Attribution:
    • nijave #1
    • sigio #1
    • stock_toaster #1
    • isomorphic #1
    • mrl5 #1
    • denkmoon #1
  4. 04

    Internal CA gets safer with name constraints

    The strongest defense of private PKI was not "just run your own CA." It was to scope it tightly. Name Constraints can limit an internal root or intermediate to a specific namespace, which sharply reduces blast radius if the key leaks. A YubiKey was suggested as a cheap hardware-backed place to keep the CA key for small deployments.

    If you run internal PKI, do not stop at generating a root. Use name-constrained intermediates and protect signing keys with hardware or at least strong isolation, otherwise you create a root that can impersonate anything.

      Attribution:
    • greengreengrass #1
    • WhyNotHugo #1
  5. 05

    Trust-store fragmentation is still the real tax

    The ugly part of internal PKI is not certificate issuance. It is trust distribution across software stacks that ignore or partially ignore the system store. Python requests with certifi, Node without NODE_USE_SYSTEM_CA, Java-adjacent apps, Firefox, Docker containers, snaps, CI workers, and test phones all have their own rules. That is why public CAs remain attractive even when an internal CA is architecturally cleaner.

    Before committing to a private CA, inventory every client and runtime that must trust it. The hard work is not creating certs. It is making the entire estate trust them consistently through upgrades, containers, and developer machines.

      Attribution:
    • michaelt #1
    • brewmarche #1
    • jeroenhd #1
    • WhyNotHugo #1
    • spacebanana7 #1

Against the grain

  1. 01

    Managed fleets should not need public validation

    If you already provision and control every host, using Let's Encrypt for internal identity is solving the wrong problem. In that world names, trust, and certificates should all be part of the platform, so public-domain validation adds ceremony without adding control.

    For company-managed servers and devices, fold TLS identity into provisioning and config management. Public ACME is a convenience layer, not a substitute for owning host identity.

      Attribution:
    • xorcist #1 #2
  2. 02

    Public CA gives encryption, not internal trust

    A valid Let's Encrypt certificate proves control of a public DNS name. It does not tell your staff or software that the service belongs to your organization in the stronger sense an internal PKI can. For internal systems that gate sensitive actions, that difference matters.

    If users or machines must distinguish your real internal services from lookalikes, layer stronger identity on top of public TLS. That can be an internal CA, mutual TLS, or another explicit trust mechanism.

      Attribution:
    • 28304283409234 #1
  3. 03

    Public DNS with private IPs is often good enough

    Some people skip split DNS entirely and publish internal IPs or internal-only names in a public zone, then rely on WireGuard or local routing for reachability. They accepted the hostname leak because the setup is simple, resilient, and avoids the long tail of DNS split-brain failures.

    For home labs and low-stakes private services, optimize for systems you can actually keep running. Publicly visible names may be an acceptable trade if the endpoints are not reachable and the simpler DNS model avoids constant breakage.

      Attribution:
    • raffraffraff #1
    • thayne #1
    • icedchai #1

In plain english

ACME
Automatic Certificate Management Environment, a protocol for automatically issuing and renewing TLS certificates from certificate authorities like Let's Encrypt.
CA
Certificate Authority, an entity that signs TLS certificates so clients can trust them.
Certificate Transparency logs
Public append-only logs of issued TLS certificates that make certificate issuance visible to anyone.
CNAME
Canonical Name record, a DNS record that points one domain name to another.
DNS-01
An ACME validation method that proves domain control by adding a specific TXT record in DNS.
dns-persist-01
A newer ACME DNS validation approach designed to use persistent DNS records so certificate renewal can be automated with less per-renewal DNS mutation.
MagicDNS
A Tailscale feature that provides built-in DNS names and resolution for devices on a Tailscale network.
Name Constraints
An X.509 certificate extension that limits which domain names a certificate authority is allowed to sign for.
PKI
Public Key Infrastructure, the system of certificate authorities, certificates, keys, and policies used to establish digital trust.
RADIUS
Remote Authentication Dial-In User Service, a protocol commonly used for centralized network authentication such as enterprise Wi-Fi.
RFC1918
A set of private IPv4 address ranges, like 10.0.0.0/8 and 192.168.0.0/16, that are not routed on the public Internet.
split-horizon DNS
A DNS setup where the same hostname returns different answers depending on where the client is or which DNS server it asks.
Tailscale
A networking service built on WireGuard that makes it easier to connect devices into a private network.
TLS
Transport Layer Security, the standard protocol used to encrypt network connections such as web traffic or mail transport.
TXT record
A DNS record that stores arbitrary text, often used for ownership verification and security policies.
VPN
Virtual Private Network, a way to access a private network securely over the internet.
WAF
Web Application Firewall, a proxy or filtering layer placed in front of web services to inspect and control traffic.
WireGuard
A modern Virtual Private Network protocol and software used to securely connect devices and networks.
YubiKey
A hardware security key that can also be used to hold cryptographic keys for authentication or signing.

Reference links

ACME DNS automation

Tools and services

  • acme-dns
    Recommended as a purpose-built service for handling ACME DNS challenges without broad DNS access.
  • dns-lexicon
    Linked as a library that abstracts many DNS provider APIs for ACME automation.
  • sni-router
    Shared as a practical alternative for routing internal HTTPS traffic in a BeyondCorp-style setup.

Certificate transparency examples