Heads up on the privacy of TLS certificates in the light of the incoming Truecharts changes

[FrostyCat]

Hi everyone. In the light of the cert-manager implementation in Truecharts and the eventual removal of support for Truenas host managed certificates, I'd like to remind everyone that for example, details of issued Let's Encrypt certificates are not private.

For any domain you own and use with Let's Encrypt for example, visit https://crt.sh and search the name, you'll get a list of all your issued certificates. Further more, most CAs usually make issue logs public. Using certificates with fixed CNs, e.g. nextcloud.example.com will leak the hostname in the CA's logs, while using a wildcard certificate will not.

So, while this may or may not have much impact depending on your use case, please be mindful about what you may inadvertently might expose just by requesting a TLS certificate, in many cases this may lead to an increased attack surface for your services.

 

[truecharts]

We are aware of the option to request wildcard certificates with cert-manager. We've opted to implement and solidify the basics first and expand it later. The same goes for other webhook-based cert-manager providers, which also definately peak our interest.

besides just waiting, users are free to (also) log an enhancement request on github.

There is no timeframe or even guarantee of eventual removal of support for TrueNAS host managed certificates though. IF it happens we are talking closer to a year or more than to months.

 

[FrostyCat]

There is no timeframe or even guarantee of eventual removal of support for TrueNAS host managed certificates though. IF it happens we are talking closer to a year or more than to months.

Good to know, thanks. I really appreciate the work your guys and the community are doing.

 

[truecharts]

Most certainly there has to be close to 100% feature parity before the SCALE cert feature is removed.