our open source software provides a service that enables the user to remote control our desktop application through a web interface. The traffic is either tunneled through our servers or is established via a direct connection to the lan/wan IP of the user.
We are looking for a solution to also enable direct connections in the https context.
There are two problems at the moment. Either the http connection is getting blocked due to “mixed-content” or the browser wants the user to accept an exception on every ip:port variant for the self signed certificate. So after each IP change, the user would need to accept the self signed certificate again and again.
Since we do not rely on SSL for security/encryption/authenticity because we use our own technology layer on top of the http protocol, our current approach is to use a wildcard certificate that we want to deploy together with our software. At the moment, we’re discussing this approach with our certificate provider. We are very aware of the risk of a possible Man-in-the-Middle attack when the private key is bundled with the application, but since we have our own security/encryption/authenticity layer on top, this is not a problem in our use case.
We would like to discuss the possibility to use “Let’s Encrypt” to provide a custom certificate for each running instance of the application.
This would either require wildcard support for “Let’s Encrypt” or at least 2 different certificates per running instance for lan/wan mode.
Our service is currently still in the beta phase, but we would already require about 30-60k certificates.
It would be nice to get in contact with someone that is able to provide feedback/help with this.