submitted 2 years ago* (last edited 2 years ago) by GravelPieceOfSword@lemmy.ca to c/selfhosted@lemmy.world

20 comments fedilink hide all child comments

How are y'all managing internal network certificates?

At any point in time, I have between 2-10 services, often running on a network behind an nginx reverse proxy, with some variation in certificates, none ideal. Here's what I've done in the past:

setup a CLI CA using openssl
- somewhat works, but importing CAs into phones was a hassle.
self sign single cert per service
- works, very kludgy, very easy
expose http port only on lo interface for sensitive services (e.g. pihole admin), ssh local tunnel when needed

I see easy-RSA seems to be more user friendly these days, but haven't tried it yet.

I'm tempted to try this setup for my local LAN facing (as exposed to tunnel only, such as pihole) services:

Get letsencrypt cert for single public DNS domain (e.g. lan.mydomain.org).. not sure about wildcard cert.
use letsencrypt on nginx reverse proxy, expose various services as suburls (e.g. lan.mydomain.org/nextcloud)

Curious what y'all do and if I'm missing anything basic.

I have no intention of exposing these outside my local network, and prefer as less client side changes as possible.

you are viewing a single comment's thread
view the rest of the comments

[-] carcus@lemmy.ml 17 points 2 years ago

You should be able to do wildcards with acme V2 and a dns challenge: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

You would manage internal dns and would never need to expose anything as it’s all through validation through a TXT record.

You could use also something like traefik to manage the cert generation and reverse proxying:

https://doc.traefik.io/traefik/https/acme/

[+] cwagner@lemmy.cwagner.me 9 points 2 years ago* (last edited 2 years ago)

[deleted]

[-] Manmoth@lemmy.ml 3 points 2 years ago* (last edited 2 years ago)

[removed by mod]

[-] TechAdmin@lemmy.world 2 points 2 years ago

I have public wildcard DNS entry (*.REMOVEDDOMAIN.com) on Cloudflare on my primary domain that resolves to 192.168.10.120 (my Caddy host)

Caddyfile

{
  email EMAILREMOVED@gmail.com
  acme_dns cloudflare TOKENGOESHERE
}

portal.REMOVEDDOMAIN.com {
  reverse_proxy 127.0.0.1:8081
}

speedtest.REMOVEDDOMAIN.com {
  reverse_proxy 192.168.10.125:8181
}

this post was submitted on 22 Sep 2023

45 points (100.0% liked)

Selfhosted

60093 readers

596 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 30 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world