logoalt Hacker News

EvanAndersontoday at 3:47 PM4 repliesview on HN

The relative proximity of the words "done right" and "split-horizon DNS" makes my insides hurt a little bit.

Use DNS validation to allow these internal services to pull ACME certs. There's so much less headache, long-term.

Split-horizon DNS (and the tedious make-work it can create when you start needing to mirror public-accessibly records in the private DNS) has always been something to aspire to move away from in my experience.


Replies

stock_toastertoday at 5:57 PM

Once dns-persist-01 becomes available/usable[1], it should make dns validation even easier.

[1]: https://letsencrypt.org/2026/02/18/dns-persist-01

selfmodruntimetoday at 6:45 PM

Also be careful when using split DNS and Tailscale, which increasingly won't work without MagicDNS enabled.

bombcartoday at 5:57 PM

Just LE a wild card cert and slap it everywhere.

show 1 reply
bruce511today at 6:02 PM

Came here to say the same. I use DNS-Challenge rather than HTTP-challenge, and that makes internal servers trivial.

You need a DNS provider which supports API calls (I use DNSimple) but the core is all very straightforward.

To prevent having to include DNSimple authentication on the client's internal server I have a small API server on the web which does the Acme work.

show 1 reply