I'm deploying RabbitMQ within our AWS VPC and want to keep it private to avoid extra costs associated with public load balancers. I can set it up either in plain text or with TLS, and although best practices suggest using TLS (which requires certificates), I want to avoid the hassle of managing self-signed certificates. Public certificates can't be generated for private DNS records, so I'm considering using a public DNS that resolves to a private IP, allowing me to obtain Let's Encrypt certificates. Is this a solid approach, or should I just run it without TLS?
4 Answers
If you're only using Nitro instances, the communication is usually encrypted anyway, making it less of a concern. But, I still think you should set up your own certificates instead of relying on DNS tricks. It’s important to control your encryption and not just depend on what AWS offers in their infrastructure!
You should look into using step-ca; it's a straightforward way to manage internal certificates. Plus, if you're going for Let's Encrypt, be aware of the DNS-01 challenge. You'll have to set a TXT record for validation, which implies your DNS needs to be accessible for their checks. Just pointing a public DNS to a private IP may not cut it!
You're overthinking this! Self-signed certificates aren't that much trouble to create and manage. It literally takes a few minutes. If you want to steer clear of the headache of cert management, consider using an internal PKI solution instead of messing with DNS trickery to work around Let's Encrypt. It's simpler that way!
I think your idea is pretty sound! Lots of people are doing this across various setups—companies to individual projects. Sure, it could reveal some of your internal network layout, but without access to your private network, that insight doesn’t hold much weight. I'd say go for it!
I completely agree with you there. Relying solely on the cloud provider's encryption could be risky. It’s best to ensure you're managing your own security! That said, the routing and handling of certificates shouldn't be overlooked.