this post was submitted on 14 Sep 2024
47 points (91.2% liked)
Firefox
18037 readers
333 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
IMO it's easiest to just use a real domain for your local network. For example, I use subdomains of
int.example.com
, whereexample.com
is my blog.Then, you can get Let's Encrypt or ZeroSSL certificates for all the hosts. Systems do not need to be accessible over the internet - you can use an ACME DNS challenge instead of a HTTP one. Use something like certbot or acme.sh and renewals will be automated.
The only cost is for one domain, and some TLDs are less than $5/year. Check tld-list.com and sort by renewal price, not registration price (as some are only cheap for the first year).
So you get a wildcard cert for the public domain, and only go one level deep on your LAN, reusing the wildcard cert? That's a pretty cool trick.
I use a wildcard cert in some places, but most of them are individual certs. You can have multiple ACME DNS challenges on a single domain, for example
_acme-challenge.first.int.example.com
and_acme-challenge.second.int.example.com
forfirst.int.example.com
andsecond.int.example.com
respectively.The DNS challenge just makes you create a TXT record at that
_acme-challenge
subdomain. Let's Encrypt follows CNAMES and supports IPv6-only DNS servers, so I'm using some software called "acme-dns" to run a DNS server specifically for ACME DNS challenges. It's just listening on a IPv6 in one of my VPS /64 IPv6 range.This is the way to do it - actual valid certs, with actual working TLS.
OP's issue is they don't understand how SSL works and fighting Firefox, which is actually trying to protect them and steer they e in the right direction.