binwiederhier

Author here. Just wanted to comment on the Certificate Transparency issues that some of you have raised:

My company (Datto [1]; we're hiring, see [2]) sells backup appliances which our customers place in their company network (much like you would place a router in your own network). Since we do not control anything other than our appliance inside our customers' networks, we went this route to provide a secure web interface to our appliance. And since the 65k servers/appliances (now more like 80k) are located in tens of thousands of different networks, leaking the internal IP isn't bad at all -- especially since there is no way to correlate them with the customer.

For normal "internal servers" within a company, I'd probably recommend using a wildcard cert and an internal DNS server.

Also: Yeyy, I'm on HN!

[1] https://www.datto.com/

[2] https://news.ycombinator.com/item?id=19071727 or https://www.datto.com/careers/

mmalone
It sounds like using Let’s Encrypt makes sense for your use case since people are accessing these appliances via a web browser, but for “normal internal servers” the right answer is almost definitely to use your own internal PKI, not to use wildcard certs.

See:

https://github.com/cloudflare/cfssl

https://github.com/hashicorp/vault

https://github.com/smallstep/certificates