This webpage provides instructions for using the acme-dns DNS challenge method with various ACME clients to obtain HTTPS certificates for private networks. Caddy, Traefik, cert-manager, acme.sh, LEGO and Certify The Web are listed as ACME clients that support acme-dns. For each client, configuration examples are provided that show how to set API credentials and other settings to use the acme-dns service at https://api.getlocalcert.net/api/v1/acme-dns-compat to obtain certificates. Interesting that so many ACME clients support the acme-dns service, providing an easy way to obtain HTTPS certificates for private networks.
HN https://news.ycombinator.com/item?id=36674224
seiferteric: Proposes an idea for automatically creating trusted certificates for new devices on a private network.
hartmel: Mentions SCEP which allows automatic certificate enrollment for network devices.
mananaysiempre: Thinks using EJBCA for this, as hartmel suggested, adds unnecessary complexity.
8organicbits: Describes a solution using getlocalcert which issues certificates for anonymous domain names.
austin-cheney: Has a solution using TypeScript that checks for existing certificates and creates them if needed, installing them in the OS and browser.
bruce511: Says automating the process is possible.
lolinder: Mentions Caddy will automatically create and manage certificates for local domains.
frfl: Uses Lego to get a Let’s Encrypt certificate for a local network website using the DNS challenge.
donselaar: Recommends DANE which works well for private networks without a public CA, but lacks browser support.
So, lynx?
lynx, no-script… it’s all fine until some web needs JavaScript yes or yes, which nowadays seem to be most of them, then it’s a game of whom to trust.
Private networks are usually an oxymoron, they’re only as private as far as the WiFi router or whoever clicks the wrong malicious link go. Zero-trust mitigates that, instead of blindly relying on perimeter defenses and trusting anyone who manages to bypass them.