this post was submitted on 14 Jun 2023
20 points (100.0% liked)

Selfhosted

39976 readers
375 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP's and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

you are viewing a single comment's thread
view the rest of the comments
[–] phi 14 points 1 year ago (2 children)

i have a similar setup at home. the way i did it was using certbot and dns verification. i pointed my domain's NSs to digitalocean's NS and then i downloaded the certbot-digitalocean-dns plugin, created an API key for DO and stored it somewhere and then certbot took care of everything else. nothing is exposed to the internet

[–] pacocascadero 8 points 1 year ago

This is the way for services not exposed to the internet. Thera are multiple DNS providers supported (I use Cloudflare personally). At the other hand if the service is published to the internet HTTP validation is very simple to configure as well. I have stopped using Nginx as a reverse proxy and use Traefik for conteinerised services or Caddy for the rest. Both proxies support ACME protocol out of the box.

[–] root 2 points 1 year ago (2 children)

Very nice! And you don't have to worry about adding the cert to each device that wants to use the service, right? Since this isn't a self hosted CA.

[–] phi 4 points 1 year ago

exactly. that was the main thing i wanted to avoid. i also have nginx-proxy-manager in front of all my apps which also automates some things (like requesting new certs or renewing them when the time comes)

[–] [email protected] 1 points 1 year ago (1 children)

Here’s a script to do it with several different DNS providers: https://github.com/acmesh-official/acme.sh I personally set the renew as a weekly cronjob and never have to think about it.

[–] root 1 points 1 year ago (1 children)

Ooo, very nice! If I use that script, can I generate certificates for a made up domain within my network (eg *.homelab), or do I need to use a domain I actually own?

[–] [email protected] 2 points 1 year ago (1 children)

It would have to be a domain you actually own

[–] root 1 points 1 year ago

Got it, thank you!