cert leakage via SNI/IP bundle

[willk]

All sketch endpoints leverage the same http server, one can use SNI to verify that all domains are related from any endpoint.

This can also be done with just the IP:

openssl s_client -showcerts -connect x.x.x.x:443 </dev/null | grep CN
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = example.com
verify return:1
DONE
 0 s:CN = example.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R3

[devzspy]

I don't believe there is a major way around this until ESNI is out of the drafting & testing/changing phase within TLS 1.3

The only other thing would be some random hostname and then place a wildcard cert in front of it.

[devzspy]

In each proxy node that gets stood up, make it so on those nodes docker spins up containers of OpenResty that also has certbot automatically request the cert and automatically renew.

Operator should be able configure what domain and ports are used while specifying which proxy they wish the domains to be deployed onto.