The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.
This, letsencrypt with dns challenge, https://desec.io/ to manage the dns records https://github.com/go-acme/lego or traefik to manage the certificates and do the dns challenges for you.
Tried that once. It was not a fun route to go down. If let's encrypt ever dies it anything fine, I'll look into it again. Until then, let's encrypt all the way
why is creating one's own CA the wrong way? I don't want to have to pay cloudflare or porkbun to run HTTPS at home
Because you have to manage it on your server and all your own machines, and it doesn’t provide any value if your server is hacked. It actually makes you less safe if your server is hacked, because then you can consider every machine that has that CA as compromised. There’s no reason to use HTTPS if you’re running your own CA. If you don’t trust your router, you shouldn’t trust anything you do on your network. Just use HTTP or use a port forward to localhost through ssh if you don’t trust your own network.
You don’t have to pay anyone to use HTTPS at home. Just use a free subdomain and HTTP validation for certbot.
I agree that it's the wrong way, but not because of any of this other than the first half of the first sentence.
It's the hard/wrong way because it means you are having to be responsible for securing the root cert private keys and because most people will do it wrong and set up a root cert with the ability to sign not just tls certs, and that's where the problems can occur if the keys are compromised and you've set up all of your machines to trust it.
But it's also not true that you shouldn't use HTTPS or that you should trust your own network, not because of the router, but because of the devices. People don't control their devices anymore. Many home automation devices, nanny cams, security devices, water leak detectors, etc., contain firmware that is poorly configured and can easily expose your network traffic if it's not encrypted. Not to mention a lot of apps these days on smartphones are Trojans for spyware, Temu, WeChat, etc.
And as for cost, you can get a domain name for a few dollars per year or as mentioned, a subdomain from something like a DDNS service, so it definitely can be totally free to do it the right way.
I use the OVH plugin to get a wildcard cert for my homelab, that way I can spin up anything and its covered by the cert.
Also, Proxmox and PFSense use the OVH let's encrypt plugin to be secured as well
Yeah. Exactly how I do it. .casa domain to distinguish it from my other domains, DNS challenge and I am good.
Proxmox and OPN Sense work with it themselves, for everything else I use NPM on Proxmox. Couldn't be more happy with that solution.
Reverse proxy and letsencrypt. Doing custom certificates is more difficult and you would need to install and trust the certificate on all devices.
This assumes ownership of a domain if I'm not mistaken.
Otherwise, yes this is the easiest way.
There are dyndns providers that support the DNS challenge that have free tiers. Those are sufficient, and you can even get wildcard certs for your subdomain that way. Perfectly sufficient for a homelab.
desec.io
Yes exactly. I didn't wanna name-drop them cause they are closed for new dynDNS signups. You can create an account to manage your own domain, but you currently can't signup for their dynDNS service, unfortunately.
That being said, I would still highly recommend them for managing your own domain, if you're looking for a place to host literally just the DNS part.
If needed you could use a subdomain from a free dyndns provider. And if you're going to be self hosting stuff having your own domain is probably good anyway.
Yeah I guess installing a root CA cert (or an Intermediate, depending on how complex your setup is) and automatically rotating certs upon expiry isn't the most trivial thing. With that said, dekstop linux/windows isn't a problem. You could theoretically do it on iOS too. Android recently has completely broken this method, however, and there's a fair few hoops one must jump over to insert a root CA into the Android trust store on Android 13 and later. I'd like find a way to do it just for browsers on Android using adb if possible
I agree. Get a domain name, point it to the internal address of your NGINX Proxy manager (or other reverse proxy that manages certificates that you are used to). A bit of work initially, then trivial to add services afterwards.
I didn't really need encryption for my internal services (although I guess that's good), but I kept getting papercuts with browser warnings, not being able to save passwords, and some services (eg container repository on Forgejo) just flat out refusing to trust a http connection.
I usw nginxproymanager for that. It has an integrated function to create and update letsencrypt certificates. Creating a New host takes like 1 minute.
+1 to NPM. Works really easily for certs and auto renewal.
Maybe not the best acronym, with Node Package Manager around
With caddy you can easily set up a local issued certificate for https. It would shine a nice warming on your browser unless you install the CA certificate on the computer you use to visit the site though.
https://caddyserver.com/docs/automatic-https#local-https
This is the easiest way I know how to do it. Caddy takes almost no configuration to get working.
Or use caddy with a dns challenge. No need to open any ports and just use it completely locally without any annoying warning.
The easiest way is to pay for a public domain, use a subdomain of that which does not have an A record on the wide internet, and then use certbot to get Let's Encrypt certificates for them and auto-renew. Stuff these in your individual reverse-proxy instances (or propagate them, no idea how) and you're done
It's pretty easy to do, I set it up using this guide: https://www.youtube.com/watch?v=qlcVx-k-02E
Used this guide too, it was the one that finally made things "click" for me.,
I used it for a while until I outgrew it and managed to setup Traefik.
I used the same guide and it works great.
I just add my CA to my devices and use self signed certificates for stuff on my LAN. I don't want to go through all the trouble of using lets encrypt for something that's not accessible from the internet.
This is the most permanent solution. You can generate valid and trusted certs for as long as you want. Let's Encrypt is great, but you also have to configure the automation to keep renewing the certs every 30 days.
I've been doing it this way for many years, before LetsEncrypt was around. Maybe some day I will switch so I can become dependent on another third party (though I do use LetsEncrypt for public-facing services).
Yes, telling your computer to trust a certificate chain that you are responsible for securing may significantly increase your attack surface. It's easy to forget about that root cert (I actually push mine via GPO).
If you mean signed by your CA then this is me too, albeit with an intermediate CA in the middle (honestly pointless in my case, but old habits etc).
I don't host anything externally and trusting the CA certs internally is easy as Ionly need to do it on a handful of devices. This + reverse proxy keeps things tidy and uncomplicated.
I do this. I use Cloudflare as my DNS and Caddy as my server. With the Cloudflare plugin Caddy gets TLS certs even for 10/8 addresses.
Nginx Proxy Manager is probably perfect for you.
Pick a domain (like mylab.home or something), set up your home network to resolve that domains IP as your docker hosts IP.
NPM will do self-signed certs. So, you will get a "warning, Https is insecure" kinda page when you visit it. You could import NPMs root cert into your OS/browser so it trusts it (or set up an "don't warn for this domain" or something).
If you don't want per-client config to trust it, then you need to buy a domain, use a DNS that supports letsencrypt DNS-challenge, and grab certs that way (means you don't need a publicly accessible well-known route exposed)
I roll out Step CA to my workstation with an Ansible role. All other clients on the lab trust this CA and are allowed to request certificates for themselves through ACME, like LetsEncrypt.
All my services on all clients on the network are exposed through traefik, which also handles the ACME process.
When it comes to Jellyfin, this is entirely counter-productive. Your media server needs to be accessible to be useful. Jellyfin should be run with host networking to enable DLNA, which will never pass through TLS. Additionally, not all clients support custom CAs. Chromecast or the OS on a TV are prime candidates to break once you move your Jellyfin entirely behind a proxy with custom CA certificates. You can waste a lot of time on this and achieve very little. If you only use the web UI for Jellyfin, then you might not care, but I prefer to keep this service out of the fancy HTTPS setup.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters | More Letters |
---|---|
CA | (SSL) Certificate Authority |
DNS | Domain Name Service/System |
HTTP | Hypertext Transfer Protocol, the Web |
HTTPS | HTTP over SSL |
IP | Internet Protocol |
SMTP | Simple Mail Transfer Protocol |
SSL | Secure Sockets Layer, for transparent encryption |
TLS | Transport Layer Security, supersedes SSL |
nginx | Popular HTTP server |
9 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.
[Thread #856 for this sub, first seen 7th Jul 2024, 03:25] [FAQ] [Full list] [Contact] [Source code]
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!