Secure Internal Services with TLS Certificates Using Split-Horizon DNS and Let's Encrypt

TLS certificates for internal services done right

25mrl5💬 16
Secure Internal Services with TLS Certificates Using Split-Horizon DNS and Let's Encrypt

I explain why using self-signed certificates for internal services is a hassle and propose a better approach. By combining split-horizon DNS with NetBird and Let's Encrypt, you can use trusted public certificates even for private apps. Adding an nginx WAF ensures only VPN traffic reaches your internal tools, giving you seamless security without managing custom trust stores on every machine.

"Security is about layers (just like onions and ogres). Our first layer is split-horizon DNS but if for whatever reason it fails or is cleverly bypassed we have a 2nd layer - WAF - that should hold the line."