Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> - Make the device use an ACME server to provision its certificate. The device must be publicly accessible so the ACME server can reach it.

Not really. The most common challenge is DNS which doesn't require the ACME servers to be able to connect to the subject via HTTPs.

Probably the gold standard for how to do this is how Plex implemented it: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-...

Not exactly trivial but definitely not impossible.



As the Plex docs notice, this is still broken: if your DNS server filters local network IP addresses as a form of some voodoo DNS rebinding "protection", this doesn't work.


Still the best way of doing it IMO, even if not perfect.

And, this wouldn't affect this situation, since, you're doing it with external IPs for external clients.


Don't embedded devices fix the DNS-server to a specific one? Worst case the provider fixes it to their own. That has downsides too though.


The DNS queries in question are on the clients, not on the server.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: