How do I use HTTPS on a private LAN without self-signed certs?

early_riser@lemmy.radio · 13 days ago

How do I use HTTPS on a private LAN without self-signed certs?

CapitalNumbers@lemm.ee · 5 days ago

why would you realistically need HTTPS on your local network?

early_riser@lemmy.radio · 5 days ago

At the time of the OP I was testing federating two nodeBB instances. ActivityPub requires HTTPS AFAIK.

TedZanzibar@feddit.uk · 13 days ago

If you own a domain, which you do, you can get wildcard certs from Let’s Encrypt using a DNS challenge. Most (all?) popular reverse proxies can do this either natively or via an addon/module, you just need to use a supported DNS provider.

neon_nova@lemmy.dbzer0.com · 13 days ago

I wish you luck on this. I also would like to learn more about this, but it’s not a priority for me. I just got a cheap vps and will use that for testing 😂

brvslvrnst@lemmy.ml · 13 days ago

I have a script to self-sign 10 year certs on internal traffic only, and then added my public cert to devices needing it. I’m going to be really annoyed in a decade, but until then I’m having a ball 🙂

catloaf@lemm.ee · 13 days ago

You don’t need public DNS. You can use whatever domain you want if you use your own DNS server (though you should use one you own, or something under the .internal TLD).

Likewise, you can issue whatever certs you want if you trust the CA.

But LE does support wildcard certs. You can get them with certbot or other tools.

Personally I use traefik, which has LE support built in. It automatically gets an individual cert for each service. If you use caddy, I’m sure it has something similar.

bedlam@lemmy.world · 13 days ago

I’m not sure about wildcard certs but I use this container to dole out letsencrypt certs for web services and it’s fairly straightforward compared to traefik or something: https://github.com/lucaslorentz/caddy-docker-proxy

Caddy docs: https://caddyserver.com/docs/quick-starts/reverse-proxy

Matt The Horwood@lemmy.horwood.cloud · 13 days ago

If you have your own domain and your DNS provider has an API, you can get a certificate for anything in your domain

suicidaleggroll@lemm.ee · 13 days ago

Reverse proxy + DNS-challenge wildcard cert for your domain. The end. Super easy to set up and zero maintenance. Adding a new service is just a couple clicks in your reverse proxy and you’re done.

Admiral Patrick@dubvee.org · edit-2 13 days ago

Is there a way I can get Let’s Encrypt to dole out a wildcard certificate

Yep. Just specify the domains yourdomain.com and *.yourdomain.com in the certbot request. Wildcard domains require the DNS-based challenge, but you’ve said you’re already good there. You don’t technically need the apex domain (yourdomain.com) but I always add it since I do have services running there.

Any subdomains under the wildcard can use internal DNS or internal IPs on the public DNS (I do the former, but the latter works too).

I used to run an internal CA, and it wasn’t too hard to setup a CA and distribute my root cert. Except on mobile devices. On Android it was easy, but there was a persistent warning that my network traffic could be intercepted (which is true when there’s a custom root cert installed), but it since it was my cert, it got annoying seeing that all the time. Not sure if Apple devices can even do that, but regardless, it wasn’t practical for friends who wanted to use my self-hosted services to install a custom cert when they were over.

early_riser@lemmy.radio · 13 days ago

Cool. Follow up question: Do I generate the cert once and distribute the same private key to all the servers I’m running? I’m guessing not, but does that mean I run the certbot command on every server?

A Mouse@midwest.social · edit-2 13 days ago

I use Caddy for this. I’ll leave links to the documentation as well as a few examples.

Here’s the documentation for wildcard certs. https://caddyserver.com/docs/automatic-https#wildcard-certificates

Here’s how you add DNS providers to Caddy without Docker. https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148

Here’s how you do it with Docker. https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modules

Look for the DNS provider in this repository first. https://github.com/caddy-dns

Here’s documentation about using environment variables. https://caddyserver.com/docs/caddyfile/concepts#environment-variables

Docker

A few examples of Dockerfiles. These will build Caddy with DNS support.

DuckDNS

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/duckdns

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Cloudflare

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Porkbun

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/porkbun

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Configure DNS provider

This is what to add the the Caddyfile, I’ve used these in the examples that follow this section. You can look at the repository for the DNS provider to see how to configure it for example.

DuckDNS

https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples

tls {
	dns duckdns {env.DUCKDNS_API_TOKEN}
}

CloudFlare

https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples Dual-key

tls {
	dns cloudflare {
		zone_token {env.CF_ZONE_TOKEN}
		api_token {env.CF_API_TOKEN}
	}
}

Single-key

tls {
	dns cloudflare {env.CF_API_TOKEN}
}

PorkBun

https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples Global

{
        acme_dns porkbun {
                api_key {env.PORKBUN_API_KEY}
                api_secret_key {env.PORKBUN_API_SECRET_KEY}
        }
}

or per site

tls {
	dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	}
}

Caddyfile

And finally the Caddyfile examples.

DuckDNS

Here’s how you do it with DuckDNS.

*.example.org {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.example.org
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

Also you can use environment variables like this.

*.{$DOMAIN} {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

CloudFlare

*.{$DOMAIN} {
        tls {
	        dns cloudflare {env.CF_API_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

Porkbun

*.{$DOMAIN} {
        tls {
	        dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	        }
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

Monument@lemmy.sdf.org · 13 days ago

The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.

eneff@discuss.tchncs.de · 13 days ago

thank you for providing such a thorough reply, good shit

sugar_in_your_tea@sh.itjust.works · 12 days ago

I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn’t require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.

conrad82@lemmy.world · 13 days ago

I do the same!

I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!

https://github.com/caddy-dns/duckdns?tab=readme-ov-file#challenge-delegation

Challenge delegation

To obtain a certificate using ACME DNS challenges, you’d use this module as described above. But, if you have a different domain (say, my.example.com) CNAME’d to your Duck DNS domain, you have two options:

Not use this module: Use a module matching the DNS provider for my.example.com.
Delegate the challenge to Duck DNS.

theparadox@lemmy.world · 13 days ago

Thanks for being so detailed!

I use caddy for straightforward https, but every time I try to use it for a service that isn’t just a reverse_proxy entry, I really struggle to find resources I understand… and most of the time the “solutions” I find are outdated and don’t seem to work. The most recent example of this for me would be Baikal.

Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?

Thanks!

sugar_in_your_tea@sh.itjust.works · 12 days ago

Baikal

Ah, PHP, there’s your problem. 😀

Honestly, I just proxy to a separate nginx server to handle the PHP bits, it’s not worth cluttering up my nice, clean Caddy setup with that nonsense.

Lemmchen@feddit.org · 13 days ago

Some form of domain and a DNS server (router or Pi-Hole) in your LAN

towerful@programming.dev · 13 days ago

You need to control a domain, so LE can verify you are the controller of the domain, then LE will issue you a certificate saying you are the controller of the domain.

For a wildcard LE cert, you need to use the DNS challenge method.
Essentially the ACME client (or certbot or whatever) will talk to LE and say “I want a DNS challenge for *.example.com”.
LE will reply “ok, your order number 69, and your challenge code is DEADBEEF”.
ACME then interacts with your public nameserver (or you have to do this manually) and add the challenge code as a txt record _acme-challenge.example.com. (I’ve been caught out by the fact LE uses Google DNS for resolution, and Google will only follow 1 level of NS records from the root authorative nameserver).
All the while, LE is checking for that record. When it finds the record, it mints a wildcard certificate.
ACME then periodically checks in with LE asking for order 69. Once LE has minted the cert, it will return it to acme.
And now you have a wildcard cert.

So, how to use it on a local domain?
Use a split horizon DNS method.
Ensure your DHCP is handing out a local DNS for resolving.
Configure that local DNS to then use 8.8.8.8 or whatever as it’s upstream.
Then load in static/override records to the local DNS.
Pihole can do this. OPNSense/pfSense can do this. Unifi can do some of this.

How does this work?
Any device on your network that wants to know the IP of example.example.com will ask it’s configured DNS - the local DNS that you have configured.
The local DNS will check it’s static assignments and go “yeh, example.example.com is 10.10.3.3”.
If you ask you local DNS for google.com, it won’t have a static assignment for it, so it will ask it’s upstream DNS, and return that result.
And it means you aren’t putting private IP spaces on public NS records.

Then you can load in your wildcard cert to 10.10.3.3, and you will have a trusted HTTPS connection.

Here is a list of LE clients that will automate LE certs.
https://letsencrypt.org/docs/client-options/

Have a read through and pick your desired flavour.
Dig into the docs of that flavour, and start playing around.

If it’s all HTTPS, consider using something like Nginx Proxy Manager (https://nginxproxymanager.com/) as a reverse proxy in front of your services and for managing the LE cert.
It’s super easy to use, has a decent GUI, and then it’s only 1 IP to point all DNS records to.

ZebraGoose@sh.itjust.works · 13 days ago

I did follow this guide from Techno Tim, he uses cloudflare but you can go with Lets encrypt aswell

https://www.youtube.com/watch?v=liV3c9m_OX8

xrun_detected@programming.dev · 13 days ago

+1 for the letsencrypt wildcard with DNS verification, been using this for years. with dehydrated (https://github.com/dehydrated-io/dehydrated) you can automate renewing the certs, pretty convenient.

One thing i didn’t see mentioned yet - you can also easily create a wildcard for a subdomain of your domain, e.g. *.local.example.com. Most DNS providers let you define something like _acme-challenge.local IN TXT ... so you don’t even need to define an extra zone for local.example.com. Probably makes no big difference, but i like it ^^

4am@lemm.ee · 13 days ago

If you are really looking for hassle-free this is it. LetsEncrypt root certificates are already trusted by most devices so when your friends come over and wanna control the media library or whatever you don’t need to install your locally hosted CA’s self-signed certificates on their phone.

Also certbot and a cron or systemd timer is all you need; people have rolled all these fancy solutions but I say keep it simple.

IanTwenty@lemmy.world · 13 days ago

I’ll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy

https://github.com/FiloSottile/mkcert

This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.

False@lemmy.world · 13 days ago

Running your own CA is essentially still a form of self signed. Though it will work better for some use cases (at the cost of more complexity)

WhyJiffie@sh.itjust.works · 13 days ago

browsers complain less, and some apps (like HomeAssistant Android) only accept that

False@lemmy.world · 13 days ago

Trust the self signed cert. Works similarly to trusting a CA.

WhyJiffie@sh.itjust.works · edit-2 13 days ago

for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known one in the community

False@lemmy.world · edit-2 13 days ago

Import it into the trust store in the browser/OS. It should be the same (or very similar) operation for a self-signed cert and a CA that isn’t subordinate to the standard internet root CAs.

If you can’t import your own root CA cert then you’re probably screwed on both fronts and are going to have to use certs issued by a public CA that’s subordinate to a commonly trusted root CA.

My point here is that there’s little distinguishing a self-signed cert and a cert issued by your own private CA for most people that are self-hosting.

N0x0n@lemmy.ml · 12 days ago

Just create a wildcard domain certificate !

I access all my services in my lan through https://servicename.home.lab/ I just had to add the rootCA certificat (actually the intermediate certificate) into my trust store on every device. That’s what they actually do, just in automated way !

Never had an issue to access my services with my self-signed certs, neither on Android, iOS, windows, linux ! Everything served from my server via my reverse proxy of choice (Treafik).

However I do remember that there was something of importance to make my Android device accept the certificate (something in certificate itself and the extension).

If you’re interested I can send you the snipped of a book to fully host your own CA :). It’s a great read and easy to follow !

WhyJiffie@sh.itjust.works · 12 days ago

Just create a wildcard domain certificate !

that’s what I do already, but yeah I haven’t added it to the trust store so far, only on linux for git and curl

If you’re interested I can send you the snipped of a book to fully host your own CA :). It’s a great read and easy to follow !

that would be interesting, thanks for the offer. but according to plan I don’t want to host a full-on CA, just make the CA cert, store them at a restricted place, and build other certs on top of it for use by nginx