EDIT: I'm going to use LetsEncrypt, DNS challenge, and then either configure Caddy to use DNS challenge, or switch to another proxy.
This will also work nicely with my VPN, so all's good there.
Thanks all. If you're going to suggest LetsEncrypt DNS challenge, I'm with you. Something else? Love to hear it!
SSL/TLS question for folks.
I run a number of services inside my home network. Since they're all local, I run them without SSL/TLS, so plain http. The problem is modern browsers complain loudly when you use a non-encrypted service.
I can't use LetsEncrypt because the services are local only, not exposed to the Internet.
I could make a self-signed certificate, but that will cause some applications to fail since self-signed certs are generally frowned upon, and I can't easily add my CA certificate to every device in my home.
Do you run a homelab with web services? If so, how do you handle this problem.
[#]AskFedi #Homelab
=> More informations about this toot | More toots from serge@babka.social
@serge if you own the domain you can use the DNS challenge even if no records are publicly available.
=> More informations about this toot | More toots from sbz@metalhead.club
@serge
Hi Serge, i do use letsencrypt for local services. My home lab uses a subdomain of one of my domains and i issue and renew certs with acme.sh via the DNS challenge.
best regards
=> More informations about this toot | More toots from raumkadett@layer8.space
@raumkadett
@sbz
@brokenintuition
I hear you on using the DNS challenge, rather than the web challenge, but that means you're also suggesting I use a domain, let's say example.com, but then make the A records point to my internal services, so I'd have
internal-service.example.com 's A record point to 192.168.1.10
Is that right?
=> More informations about this toot | More toots from serge@babka.social
@raumkadett @sbz @brokenintuition
=> More informations about this toot | More toots from serge@babka.social
@serge
:bloblewd:
You just have to prove you really control DNS for the domain you want to use, an A or AAAA record is not required, merly the ability to create txt records.
The IP address is not part of the cert.
@sbz @brokenintuition
=> More informations about this toot | More toots from raumkadett@layer8.space
@serge You could use a publicly accessible host or something like
https://gethttpsforfree.com/
using DNS records to collect certs, and then copy those certs to your internal hosts.
Example 1: You have a VPS with a web server and acme client. Setup DNS record(s) to point internal-service.example.com at that VPS and setup your acme client to collect letsencrypt certs for it. Then setup a script on your internal host that will grab the new certs on a regular basis (or manually copy them if you like).
Example 2: Using a service like the link above doesn't require having a device with a "real" public IP address, you could just validate domain ownership with a DNS record. At the end of the process you get a cert that you can paste in to your internal host. Of course, how you do DNS validation would depend entirely on how you are managing your public DNS.
Either way, you'd either have to setup your real public DNS to point those names at private addresses (like your 192.168.1.10 example), or poison your internal DNS to point those internal names at the appropriate addresses.
=> More informations about this toot | More toots from jmhorner@eattherich.club
@serge LAN-only services: my own CA with EasyRSA. Anything that is exposed online: LetsEncrypt.
=> More informations about this toot | More toots from RTheren@social.linux.pizza
@serge That forces you to trust to root ca. That's contrary the purpose of LetsEncrypt.
=> More informations about this toot | More toots from KoosPol@mastodon.nl
@KoosPol
Please offer a different suggestion that gets me to the goal then :)
=> More informations about this toot | More toots from serge@babka.social
@serge I don't have any. I'm in the same boat. Fortunately my home lan is very small. I've accepted the misery of self signed certificates.
=> More informations about this toot | More toots from KoosPol@mastodon.nl
@serge another option is Tailscale, which is also pretty great for a number of other purposes. I don’t even come close to using its full feature set, but it’s rainy helpful for securely managing a local network, and especially for accessing it from outside the house.
https://tailscale.com/kb/1153/enabling-https
=> More informations about this toot | More toots from josh0@babka.social
@serge You already got a solution, however I do have a hint which might help.
Acme.sh and dnscontrol both allow issueing a certificate using a DNS challenge. You can then deploy the certs whereever you like. Thats basically my setup, if can assist if you want.
=> More informations about this toot | More toots from gcrkrause@hachyderm.io
@gcrkrause
I'm a little confused. How is this different than the proposed solution the other folks who mentioned DNS challenges laid out?
=> More informations about this toot | More toots from serge@babka.social
@serge Its not. I just suggested software I prefer to use and wanted to empathize that DNS challenges are the way to go.
Sorry for any confusion!
=> More informations about this toot | More toots from gcrkrause@hachyderm.io
@gcrkrause
No worries, I just didn't understand.
=> More informations about this toot | More toots from serge@babka.social
@serge For me LetsEncrypt is only the service, most people use certbot to interact with it. While certbot is the best thing to do for beginners in basic setups, I don't really like using it (but last time I tried was several years ago, so this might changed). So I wanted to offer alternatives if you experience the same.
=> More informations about this toot | More toots from gcrkrause@hachyderm.io
@serge
I use a smallstep little CA with ACME challenge support enabled.
like this - though I'm not using a yubikey, I just run the CA in a screen session and type in the key to unlock the CA when I boot the VM it lives on.
The only thing is that this method doesn't really help when accessing from an android device, because android doesn't trust user provided root certs.
https://www.youtube.com/watch?v=BKCj6A4CHV4
=> More informations about this toot | More toots from crabbypup@fosstodon.org
@serge
If you have a domain, then set up a reverse proxy that supports LetsEncrypt (I use Traefik, but there's many options). Configure it to use LetsEncrypt DNS-01 challenge and issue a wildcard cert (*.home.domain.tld?).
Then put a *.home.domain.tld A record in public DNS, pointed at your internal IP that hosts the reverse proxy.
=> More informations about this toot | More toots from rune@intothecloud.net
@serge DNS is good, but I also have an exposed nginx which does a reverse proxy which forwards different /well-known links (and nothing else, often)
=> More informations about this toot | More toots from peribotsarah@babka.social
@serge If you own the domain you're using for internal services, and DNS for it on a provider that certbot supports then you can use DNS-01 to create certs for your internal services.
I personally have everything behind a haproxy instance with a wildcard cert (*.prod.domain.com) so I only really have to think about one cert being updated.
=> More informations about this toot | More toots from nikdoof@incognitus.net This content has been proxied by September (ba2dc).Proxy Information
text/gemini
