Remix.run Logo
bombcar an hour ago

Just LE a wild card cert and slap it everywhere.

EvanAnderson an hour ago | parent [-]

I get antsy about a private key being in lots of places. You've also got to worry about renewal so you might as well just have "consumer" of the wildcard just provision its own non-wildcard certificate.

sandermvanvliet 17 minutes ago | parent [-]

I run a reverse proxy that handles the TLS termination for that reason.

Services themselves are constrained to the server, bound to listen on 127.0.0.1 only.

Key is only available to the reverse proxy.