How do I use HTTPS on a private LAN without self-signed certs?
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
You need to control a domain, so LE can verify you are the controller of the domain, then LE will issue you a certificate saying you are the controller of the domain.
For a wildcard LE cert, you need to use the DNS challenge method.
Essentially the ACME client (or certbot or whatever) will talk to LE and say "I want a DNS challenge for *.example.com".
LE will reply "ok, your order number 69, and your challenge code is DEADBEEF".
ACME then interacts with your public nameserver (or you have to do this manually) and add the challenge code as a txt record_acme-challenge.example.com. (I've been caught out by the fact LE uses Google DNS for resolution, and Google will only follow 1 level of NS records from the root authorative nameserver).
All the while, LE is checking for that record. When it finds the record, it mints a wildcard certificate.
ACME then periodically checks in with LE asking for order 69. Once LE has minted the cert, it will return it to acme.
And now you have a wildcard cert.So, how to use it on a local domain?
Use a split horizon DNS method.
Ensure your DHCP is handing out a local DNS for resolving.
Configure that local DNS to then use 8.8.8.8 or whatever as it's upstream.
Then load in static/override records to the local DNS.
Pihole can do this. OPNSense/pfSense can do this. Unifi can do some of this.How does this work?
Any device on your network that wants to know the IP of example.example.com will ask it's configured DNS - the local DNS that you have configured.
The local DNS will check it's static assignments and go "yeh, example.example.com is 10.10.3.3".
If you ask you local DNS for google.com, it won't have a static assignment for it, so it will ask it's upstream DNS, and return that result.
And it means you aren't putting private IP spaces on public NS records.Then you can load in your wildcard cert to 10.10.3.3, and you will have a trusted HTTPS connection.
Here is a list of LE clients that will automate LE certs.
https://letsencrypt.org/docs/client-options/Have a read through and pick your desired flavour.
Dig into the docs of that flavour, and start playing around.If it's all HTTPS, consider using something like Nginx Proxy Manager (https://nginxproxymanager.com/) as a reverse proxy in front of your services and for managing the LE cert.
It's super easy to use, has a decent GUI, and then it's only 1 IP to point all DNS records to. -
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
If you own a domain, which you do, you can get wildcard certs from Let's Encrypt using a DNS challenge. Most (all?) popular reverse proxies can do this either natively or via an addon/module, you just need to use a supported DNS provider.
-
Cool. Follow up question: Do I generate the cert once and distribute the same private key to all the servers I'm running? I'm guessing not, but does that mean I run the certbot command on every server?
I have a single Nginx setup which is the frontend for all my web services. So I only need to deploy it there (and to its HA partner). My renewal script just
scp's it to the secondary and does annginx -s reloadon both.I do generate separate certs/keys for my non-web servers, but there's only two of those.
You could also, if you wanted, just generate one cert and distribute it and its key to everything with a script or other automation tool (Ansible is what I used to use).
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } } -
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
Some form of domain and a DNS server (router or Pi-Hole) in your LAN
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
Reverse proxy + DNS-challenge wildcard cert for your domain. The end. Super easy to set up and zero maintenance. Adding a new service is just a couple clicks in your reverse proxy and you’re done.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I did follow this guide from Techno Tim, he uses cloudflare but you can go with Lets encrypt aswell
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }thank you for providing such a thorough reply, good shit
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Thanks for being so detailed!
I use caddy for straightforward https, but every time I try to use it for a service that isn't just a reverse_proxy entry, I really struggle to find resources I understand... and most of the time the "solutions" I find are outdated and don't seem to work. The most recent example of this for me would be Baikal.
Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?
Thanks!
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }I do the same!
I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!
https://github.com/caddy-dns/duckdns?tab=readme-ov-file#challenge-delegation
Challenge delegation
To obtain a certificate using ACME DNS challenges, you'd use this module as described above. But, if you have a different domain (say,
my.example.com) CNAME'd to your Duck DNS domain, you have two options:- Not use this module: Use a module matching the DNS provider for
my.example.com. - Delegate the challenge to Duck DNS.
- Not use this module: Use a module matching the DNS provider for
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
+1 for the letsencrypt wildcard with DNS verification, been using this for years. with dehydrated (https://github.com/dehydrated-io/dehydrated) you can automate renewing the certs, pretty convenient.
One thing i didn't see mentioned yet - you can also easily create a wildcard for a subdomain of your domain, e.g.
*.local.example.com.
Most DNS providers let you define something like_acme-challenge.local IN TXT ...so you don't even need to define an extra zone forlocal.example.com.
Probably makes no big difference, but i like it ^^ -
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I'll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy
https://github.com/FiloSottile/mkcert
This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.
-
+1 for the letsencrypt wildcard with DNS verification, been using this for years. with dehydrated (https://github.com/dehydrated-io/dehydrated) you can automate renewing the certs, pretty convenient.
One thing i didn't see mentioned yet - you can also easily create a wildcard for a subdomain of your domain, e.g.
*.local.example.com.
Most DNS providers let you define something like_acme-challenge.local IN TXT ...so you don't even need to define an extra zone forlocal.example.com.
Probably makes no big difference, but i like it ^^If you are really looking for hassle-free this is it. LetsEncrypt root certificates are already trusted by most devices so when your friends come over and wanna control the media library or whatever you don’t need to install your locally hosted CA’s self-signed certificates on their phone.
Also certbot and a cron or systemd timer is all you need; people have rolled all these fancy solutions but I say keep it simple.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
The most straightforward thing to do, on a private LAN, is to make all your own certs, from a custom root cert, and then manually install that cert as "trusted" on each machine. If none of the machines on this network need to accessed from outside the LAN, then you're golden.
-
Thanks for being so detailed!
I use caddy for straightforward https, but every time I try to use it for a service that isn't just a reverse_proxy entry, I really struggle to find resources I understand... and most of the time the "solutions" I find are outdated and don't seem to work. The most recent example of this for me would be Baikal.
Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?
Thanks!
Unfortunately that's one area I am bad with, I tend to use reverse_proxy for most such as Baikal running with the ckulka/baikal Docker image (which runs Nginx or Apache), otherwise I only static sites.
I'd start by looking at Baikal's config for Apache and Nginx, https://sabre.io/baikal/install/ and comparing to the directives for Caddy, https://caddyserver.com/docs/caddyfile/directives and
Since it uses PHP, it will need that, https://caddyserver.com/docs/caddyfile/patterns#php
Upon my searches I came across this, it talks about running Baikal with Caddy specifically. https://github.com/caddyserver/caddy/issues/497
I hope that this provided some helpful directions.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
LetsEncrypt.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
With certbot there's probably a plugin to do it automatically, but if you just want to get something working right now you can run the following to manually run a dns challenge against your chosen domain names and get a cert for any specified. This will expire in ~3 months and you'll need to do it again, so I'd recommend throwing it in a cron job and finding the applicable
certbot-dns-dnsproviderplugin that will make it run without your input. Once you have it working you can extract the certs from/etc/letsencrypt/liveon most systems. Just be aware that the files there are going to be symlinks so you'll want to copy them before tarballing them to move other machines.certbot --preferred-challenges dns --manual certonly -d *.mydomain.tld -d mydomain.tld -d *.local.mydomain.tld -
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I just:
- Have my router setup with DNS for domains I want to direct locally, and point them to:
- Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API
- Navigation I do within my local network to these domains gives me real certificates.
-
I just:
- Have my router setup with DNS for domains I want to direct locally, and point them to:
- Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API
- Navigation I do within my local network to these domains gives me real certificates.
FYI, all the certs you generate are public record, so it might be a good idea to use a wildcard route in Caddy. That will make it only generates one cert, so no one can find your internal domain names. Especially if your Caddy instance is accessible from the Internet, and you’re expecting external connections not to be able to access domains with only internal DNS records
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.
