this post was submitted on 23 Oct 2023
1 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

morning,

so when i first started homelabing I didn't use my wildcard certs due to me not fully understanding traefiks implementation of lets encrypt. Does anyone know how to remove my registered ssl certs from being publicly viewed for example using https://crt.sh/.

top 2 comments
sorted by: hot top controversial new old
[โ€“] GolemancerVekk@alien.top 1 points 1 year ago

Certificate transparency logs play a vital role so you can't remove any information from it. They let everybody (including you) verify that the certificates are genuine, and they keep certificate authorities honest.

If the part that's bothering you is that your subdomains are known, the solution is to get wildcard certs then replace all the former subdomains with new ones that don't appear in the log.

If the part that's bothering you is simply that old domain names are still resolved, the trick is to not get wildcard DNS records. The certs should be issued for a wildcard (*.domain.tld) but the actual subdomains should be defined explicitly (CNAME example.domain.tld -> domain.tld but not CNAME *.domain.tld -> domain.tld); otherwise all the previously defined subdomains will keep working.

I think most of us have been through this, myself included. Not only did I define subdomains before learning about logs and wildcards, I also had domains that were used at some point with freedns.afraid.org and had random people issue certs for various subdomains, and all of that is now in the transparency logs.

[โ€“] borouhin@alien.top 1 points 1 year ago

Heh, it's a valuable OSINT source of information indeed :) Even if it was just one time a sysadmin issued a single certificate for multiple domains that were not meant to look connected to each other, CT logs show that these domains' owners are actually affiliated.