How do I use HTTPS on a private LAN without self-signed certs?
-
I just:
- Have my router setup with DNS for domains I want to direct locally, and point them to:
- Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API
- Navigation I do within my local network to these domains gives me real certificates.
FYI, all the certs you generate are public record, so it might be a good idea to use a wildcard route in Caddy. That will make it only generates one cert, so no one can find your internal domain names. Especially if your Caddy instance is accessible from the Internet, and you’re expecting external connections not to be able to access domains with only internal DNS records
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.
-
I just:
- Have my router setup with DNS for domains I want to direct locally, and point them to:
- Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API
- Navigation I do within my local network to these domains gives me real certificates.
When somebody says they "just" reverse the polarity of the navigational deflector array and channel power directly from the warp core.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
Let's encrypt has a DNS verification option.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
You don't need a public DNS record for https to work. You can just use public external certs as long as it's for a domain you own. You don't need to setup the same domains externally.
If you want certs for a domain you own, then yeah you're looking at self signed.
-
I'll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy
https://github.com/FiloSottile/mkcert
This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.
Running your own CA is essentially still a form of self signed. Though it will work better for some use cases (at the cost of more complexity)
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
-
Running your own CA is essentially still a form of self signed. Though it will work better for some use cases (at the cost of more complexity)
browsers complain less, and some apps (like HomeAssistant Android) only accept that
-
browsers complain less, and some apps (like HomeAssistant Android) only accept that
Trust the self signed cert. Works similarly to trusting a CA.
-
Trust the self signed cert. Works similarly to trusting a CA.
for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known problem in the community
-
for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known problem in the community
Import it into the trust store in the browser/OS. It should be the same operation for a self-signed cert and a CA that isn't subordinate to the standard internet root CAs.
If you can't import your own root CA cert then you're probably screwed on both fronts and are going to have to use a public CA that's subordinate to a commonly trusted root CA.
-
Running your own CA is essentially still a form of self signed. Though it will work better for some use cases (at the cost of more complexity)
I know what you mean but using real self-signed certificates (i.e. no CA at all) with modern browsers causes so many issues I find them unusable.
-
for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known problem in the community
Just create a wildcard domain certificate !
I access all my services in my lan through
https://servicename.home.lab/I just had to add the rootCA certificat (actually the intermediate certificate) into my trust store on every device. That's what they actually do, just in automated way !Never had an issue to access my services with my self-signed certs, neither on Android, iOS, windows, linux ! Everything served from my server via my reverse proxy of choice (Treafik).
However I do remember that there was something of importance to make my Android device accept the certificate (something in certificate itself and the extension).
If you're interested I can send you the snipped of a book to fully host your own CA :). It's a great read and easy to follow !
-
FYI, all the certs you generate are public record, so it might be a good idea to use a wildcard route in Caddy. That will make it only generates one cert, so no one can find your internal domain names. Especially if your Caddy instance is accessible from the Internet, and you’re expecting external connections not to be able to access domains with only internal DNS records
That's a good call out.
There are a few things I do right now:
- All of my public DNS entries for the certs point at cloudflare, not my IP.
- My internal Network DNS resolver will resolve those domains to an internal address
- I drop all connections to those domains in cloudflare with rules
- In caddy, I drop all connections that come from a non-internal IP range for all internal services
- I use tailscale to avoid having to have routes from the Internet into my internal services for when I'm not at home.
- For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.
-
When somebody says they "just" reverse the polarity of the navigational deflector array and channel power directly from the warp core.
In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.
All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.
-
Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
Not sure if anyone else mentioned this, but you can just redirect traffic on your local LAN with an ad blocker like pihole ( I currently use adguardhome podman instance )
Basically, it rewrites any calls to your outside domain from within your local network, back to your local web server. As long as the site is setup with the certificate there, you’re good.
Then setup a Nina nginx reverse proxy and you’re golden. Regular site outside LAN, internal site inside LAN.
-
In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.
All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.
Thanks, I'll lookup pfSense. But straightforward host mapping has worked for me in the past with this router and others. It worked great on my old Cisco DSL router 25 years ago. So simple and straightforward, it should just freaking work. sigh
-
I use Caddy for this. I'll leave links to the documentation as well as a few examples.
Here's the documentation for wildcard certs.
https://caddyserver.com/docs/automatic-https#wildcard-certificatesHere's how you add DNS providers to Caddy without Docker.
https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148Here's how you do it with Docker.
https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modulesLook for the DNS provider in this repository first.
https://github.com/caddy-dnsHere's documentation about using environment variables.
https://caddyserver.com/docs/caddyfile/concepts#environment-variablesDocker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyCloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyPorkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddyConfigure DNS provider
This is what to add the the Caddyfile, I've used these in the examples that follow this section.
You can look at the repository for the DNS provider to see how to configure it for example.DuckDNS
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }CloudFlare
https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples
Dual-keytls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }PorkBun
https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples
Global{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here's how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn't require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.
-
Thanks for being so detailed!
I use caddy for straightforward https, but every time I try to use it for a service that isn't just a reverse_proxy entry, I really struggle to find resources I understand... and most of the time the "solutions" I find are outdated and don't seem to work. The most recent example of this for me would be Baikal.
Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?
Thanks!
Baikal
Ah, PHP, there's your problem.
Honestly, I just proxy to a separate nginx server to handle the PHP bits, it's not worth cluttering up my nice, clean Caddy setup with that nonsense.
-
If you are really looking for hassle-free this is it. LetsEncrypt root certificates are already trusted by most devices so when your friends come over and wanna control the media library or whatever you don’t need to install your locally hosted CA’s self-signed certificates on their phone.
Also certbot and a cron or systemd timer is all you need; people have rolled all these fancy solutions but I say keep it simple.
Adding to this, the eff certbot website has really great noob-friendly instructions which really helped me get set up.
