Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
UPDATE:
Here’s what I ended up doing:
- set up cloudflare as the DNS provider for my domain
- use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
- Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
- Visit the websites and confirm that HTTPS works.
There are some other hiccups that I’m guessing aren’t related to HTTPS. Per My earlier question about self hosting, I’m experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That’s a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.
browsers complain less, and some apps (like HomeAssistant Android) only accept that
Trust the self signed cert. Works similarly to trusting a CA.
for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known one in the community
Just create a wildcard domain certificate !
I access all my services in my lan through
https://servicename.home.lab/I just had to add the rootCA certificat (actually the intermediate certificate) into my trust store on every device. That’s what they actually do, just in automated way !Never had an issue to access my services with my self-signed certs, neither on Android, iOS, windows, linux ! Everything served from my server via my reverse proxy of choice (Treafik).
However I do remember that there was something of importance to make my Android device accept the certificate (something in certificate itself and the extension).
If you’re interested I can send you the snipped of a book to fully host your own CA :). It’s a great read and easy to follow !
that’s what I do already, but yeah I haven’t added it to the trust store so far, only on linux for git and curl
that would be interesting, thanks for the offer. but according to plan I don’t want to host a full-on CA, just make the CA cert, store them at a restricted place, and build other certs on top of it for use by nginx
If you change your mind someday, just send me a PM !
Import it into the trust store in the browser/OS. It should be the same (or very similar) operation for a self-signed cert and a CA that isn’t subordinate to the standard internet root CAs.
If you can’t import your own root CA cert then you’re probably screwed on both fronts and are going to have to use certs issued by a public CA that’s subordinate to a commonly trusted root CA.
My point here is that there’s little distinguishing a self-signed cert and a cert issued by your own private CA for most people that are self-hosting.