Allow hostname in certificate for internal kubernetes traffic


#1

Letsencrypt works really well for our applications as long as they have a fqdn. However we would like to encrypt our internal traffic - preferably with the same certificate - as well. In kubernetes you can connect to an internal service by using just the service name. Unfortunately that causes the url not to match with the domains in the certificate.

Would it be possible to allow just a hostname in the certificate as well without this compromising security because you obviously don’t “own” the domain.

For example, we have these 3 applications on different environments:

application.server.com
application.staging.server.com
application.development.server.com

But internally they can all be accessed by other applications using just https://application/. Can this be done?

Thx, Jorrit


#2

Publicly trusted CAs are prohibited from issuing certificates for internal hostnames, so unfortunately that won’t be possible.

More details here: https://cabforum.org/internal-names/


#3

Okay that makes sense. We’ll look at signing internal certs with our own CA then. Thx


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.