Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[RESEARCH] Letsencrypt Certificates for Local IP
See original GitHub issuePROBLEM: If we provide a WebUI the user either would use it thru HTTP in the local network (which is unencrypted) or use a self-signed certificate which will display ugly Warnings in normal browsers and is a UX nightmare to accept.
IDEA: There is a way to get a valid SSL certificate from lets encrypt for local IPs … but it would need a public dns server handing out subdomains for free: https://esc.sh/blog/letsencrypt-ssl-for-local-domains/
So there could be a fulmo.org service handing out looooong random subdomains for everyone that wants and will return the local IP of an raspiblitz (local IPs should not be a privacy concern).
The subdomain could even be a public-key (or a hash of it) … and we create a random private key on the raspiblitz before setup for that service thats kept on the HDD/SSD later on so the user can make simple updates. Registration for a subdomain could be behind Tor onion service to protect users privacy (hide public IP). The DNS server would need to support DNS validation mechanism for Letsencrypt - RFC2631
The fulmo DNS server could still be a target to DDOS … but RaspiBlitz could check first if the service is available (DNS resolves to the correct IP). If that service is not working the user defaults either to HTTP or a selfsigned cert or askes the user to use a Tor browser.
Form the user perspective: for a fresh raspiblitz, the user would just enter blitz.local (HTTP unencrypted) and that would trigger the process of registering and checking for such a cert on the raspiblitz backend … the user would see a waiting screen (spinner) and if available the user would get a HTTPS redirect with that letsencrypt local IP cert and can make the setup in a secure encrypted way.
To prevent use of the service for illegal stuff like black markets etc (liability risk for service provider) … it would just accept local IPs and reject all others.
Of course that would be based on an open-source project (AGPL) to not introduce any lockin to Fulmo services.
TODO:
- research if similar services/projects already exist
- find somebody that would like to commit for that implementation as project leader
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ahhhh there might be a show-stopper: When the users browser (running on the laptop) makes a DNS resolve on that subdomain - it will reveal the users clearnet IP to the server, right? @frennkie @openoms
So that server would collect all clearnet IPs of raspiblitz users. So that concept might only work if such a service is used by a lot of other services and raspiblitz users would hide that way in big user set.
One additional note from my side, all subdomain names are available forever in the certificate transparency log.
https://tailscale.com/kb/1153/enabling-https/#machine-names-in-the-public-ledger