On Tue, 2021-06-01 at 13:17 +0200, J. Roeleveld wrote: > > It's not that easy to do it with internal-only systems as Let's Encrypt > requires the hostname to be known externally. > And there are plenty of devices you do not want the whole internet to know > about. >
And in this situation LetsEncrypt does nothing but make security worse: * You have to trust the entire CA infrastructure rather than just your own CA. Many of the CAs are not just questionable, but like the governments of the USA and China, known to be engaged in large-scale man-in-the-middle attacks. * The LetsEncrypt certificates expire after three months, as opposed to 10+ years for a self-signed certificate. You're supposed to automate this... by running a script as root that takes input from the web? I'd rather not do that. * LetsEncrypt verifies your identity over plain HTTP (like every other commercial CA), so it's all security theater in the first place. There are plenty of arguments against LE even for public sites, but for private ones, it's a lot more clear-cut...
