This is neat!

However, given that allowing private IP resolution from a public DNS subdomain facilitates DNS rebinding attacks, it (and all equivalent approaches) will unfortunately be blocked by quite a few of the more sophisticated home routers out there, including a quite common brand in Germany.

Also, doesn't publishing a privkey for a public TLS certificate theoretically require it to be revoked under common browser CA standards...? Let's Encrypt seems to support it, at least: https://letsencrypt.org/docs/revoking/#using-the-certificate...

The certificate is revoked, your browser must not be checking for revocation. Browser support for revocation is pretty poor, unfortunately.

https://crt.sh/?id=9497801989&opt=ocsp

Hm, are these automatically revoked then as part of the service, or did somebody just revoke it?

Update: Seems to have just happened – after restarting, Firefox now does not accept it anymore!

Nice, thanks for sharing this. I use sslip.io but they do not provide TLS certificates, so acme v1 validation is required using a wan IP address and ensuring router port forwarding or cloudflare tunnel etc is running. This magic domain is so much easier.

I don't think this is actually compatible with the browser security model – specifically, CAs are required to revoke certificates for known-compromised private keys, according to point 4.9.1 here: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...