this post was submitted on 05 Apr 2025
208 points (99.1% liked)

Selfhosted

45618 readers
695 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
208
How do I use HTTPS on a private LAN without self-signed certs? (lemmy.radio)
submitted 5 days ago* (last edited 4 days ago) by [email protected] to c/[email protected]
50 comments fedilink hide all child comments
 

Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.

Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.

UPDATE:

Here's what I ended up doing:

  1. set up cloudflare as the DNS provider for my domain
  2. use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
  3. Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
  4. Visit the websites and confirm that HTTPS works.

There are some other hiccups that I'm guessing aren't related to HTTPS. Per My earlier question about self hosting, I'm experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That's a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 3 days ago* (last edited 3 days ago)

That's a good call out.

There are a few things I do right now:

  1. All of my public DNS entries for the certs point at cloudflare, not my IP.
  2. My internal Network DNS resolver will resolve those domains to an internal address. I don't rely on nat reflection.
  3. I drop all connections to those domains in cloudflare with rules
  4. In caddy, I drop all connections that come from a non-internal IP range for all internal services. Additionally I drop all connections from subnet that should not be allowed to access those services (network is segmented into VLANs)
  5. I use tailscale to avoid having to have routes from the Internet into my internal services for when I'm not at home.
  6. For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.

Hopefully this information helps someone else that's also trying to do this.