EDIT: I'm going to use LetsEncrypt, DNS challenge, and then either configure Caddy to use DNS challenge, or switch to another proxy.
This will also work nicely with my VPN, so all's good there.
Thanks all. If you're going to suggest LetsEncrypt DNS challenge, I'm with you. Something else? Love to hear it!
SSL/TLS question for folks.
I run a number of services inside my home network. Since they're all local, I run them without SSL/TLS, so plain http. The problem is modern browsers complain loudly when you use a non-encrypted service.
I can't use LetsEncrypt because the services are local only, not exposed to the Internet.
I could make a self-signed certificate, but that will cause some applications to fail since self-signed certs are generally frowned upon, and I can't easily add my CA certificate to every device in my home.
Do you run a homelab with web services? If so, how do you handle this problem.
[#]AskFedi #Homelab
=> More informations about this toot | More toots from serge@babka.social
@serge
Hi Serge, i do use letsencrypt for local services. My home lab uses a subdomain of one of my domains and i issue and renew certs with acme.sh via the DNS challenge.
best regards
=> More informations about this toot | More toots from raumkadett@layer8.space
@raumkadett
@sbz
@brokenintuition
I hear you on using the DNS challenge, rather than the web challenge, but that means you're also suggesting I use a domain, let's say example.com, but then make the A records point to my internal services, so I'd have
internal-service.example.com 's A record point to 192.168.1.10
Is that right?
=> More informations about this toot | More toots from serge@babka.social
@serge You could use a publicly accessible host or something like
https://gethttpsforfree.com/
using DNS records to collect certs, and then copy those certs to your internal hosts.
Example 1: You have a VPS with a web server and acme client. Setup DNS record(s) to point internal-service.example.com at that VPS and setup your acme client to collect letsencrypt certs for it. Then setup a script on your internal host that will grab the new certs on a regular basis (or manually copy them if you like).
Example 2: Using a service like the link above doesn't require having a device with a "real" public IP address, you could just validate domain ownership with a DNS record. At the end of the process you get a cert that you can paste in to your internal host. Of course, how you do DNS validation would depend entirely on how you are managing your public DNS.
Either way, you'd either have to setup your real public DNS to point those names at private addresses (like your 192.168.1.10 example), or poison your internal DNS to point those internal names at the appropriate addresses.
=> More informations about this toot | More toots from jmhorner@eattherich.club
text/geminiThis content has been proxied by September (ba2dc).