Hacker News new | past | comments | ask | show | jobs | submit login
Self-Signed locally trusted certificates with cert-manager (skarlso.github.io)
21 points by skarlso on Oct 27, 2023 | hide | past | favorite | 10 comments



I've been using a slightly different approach which skips the mkcert step. I really need to write a blog post, but roughly:

- register a subdomain on getlocalcert.net

- save credentials

- create LetsEncrypt certificate with cert-manager

Since LetsEncrypt is a trusted CA, there is no need for mkcert.

https://github.com/robalexdev/getlocalcert-client-tests/tree...


The problem with LetsEncrypt is that now your entire internal infrastructure is visible on CT logs, which gives an attacker an easy index to enumerate and scan infrastructure once they have access to your internal systems somehow.


You can address that quite well with wildcard certificates. Not ideal, but more than enough for a decent homelab and likely a well thought through test environment.


Well, aside from the fact that it's calling out to the internet, the service is in early access. Using cert-manager at and a self-signed cert, you can set this up in a fenced environment as well.


Related, I also saw this project a little while ago: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi...

Which looks quite interesting to have HTTPS for my internal-only pages without need to deal with an external service, although you have to be very careful to setup your certs correctly with "Name Constraints" (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.10) to avoid the risk of someone being able to MitM everything if they're able to get in and start issuing themselves certificates.


Hello folks!

Thought I'd share some insights in how I set up test frameworks using cert-manager for generating self-signed certificates. And then making them locally trusted using mkcert for easy install.

I think it's neat, but it does have its caveats as everything I suppose. :)

Thanks!


It's worrying that this is considered minimal pain in the k8s world. It's not a ding, it's a sign that it's not a platform to be taken or used on a whim but with serious considerations about time involved.


Indeed. Kubernetes setup is not for the faint of heart. But then again, it could be a LOT more confusing than this, I think. Here, you just download something, put it somewhere, and you're basically done. Once this is in place you can basically forget about it. Which was my aim. :)

I believe dealing with certificates that include the ability to end-to-end test them is never simple.


I had to generate bunch of these at work, because reasons, and I found out that you can use Caddy to do this by including `tls internal` in your Caddyfile.

The first time you install it, it will prompt you to install the root cert.


Oh, interesting. Thanks, I'll look at that. Unfortunately, caddy was not an option I could have used here. :/ But it's still interesting and I didn't know it could do that. :)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: