alt Hacker NewsYep, but this comes with a tradeoff: all of your services now have a valid key/cert for your whole domain, significantly increasing the blast radius if one service is compromised.
Replies
silverwind • last Monday at 6:31 PM
Not a problem if you have the cert on a shared load balancer, not on the services directly.
➕ show 1 reply
Is it technically possible to obtain a wildcard cert from LetsEncrypt, but then use OpenSSL / X.509 tooling to derive a restricted cert/key to be deployed on servers, which only works for specific domains under the wildcard?