this post was submitted on 29 Dec 2023
91 points (93.3% liked)

Selfhosted

40173 readers
651 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 10 months ago (2 children)

How do you get certs for internal applications?

I use caddy and it does everything for me, but my limited understanding is that the dns entry for which the certs are requested must point to the ip address at which caddy is listening. So if I have a DNS entry like internal.domain.com which resolves to 10.0.0.123 and caddy is listening on that address I can get a http connection, but not an https connection, because letsencrypt can't verify that 10.0.0.123 is actually under my control.

[–] [email protected] 1 points 10 months ago (1 children)

There is an alternate verification method using an API key to your DNS provider, if it's a supported one. That method doesn't need any IP to be assigned (doesn't care if there are A/AAAA records or where they point because it can verify the domain directly).

deSEC.io is a good example of a good, reputable and free DNS provider that additionally allows you to manage API keys. The catch is that they require you to enable DNSSEC (their mission is similar to Let's Encrypt, but for DNS).

[–] [email protected] 1 points 10 months ago (1 children)

Thanks, good to know. I'll see if can set that up.

[–] [email protected] 3 points 10 months ago

I see that you want to use the cert for intranet apps btw.

What I did was get two LE wildcard certs, one for *.my.dom and one for *.local.my.dom. Both of them can be obtained and renewed with the API approach without any further care to what they actually point at.

Also, by using wildcards, you don't give away any of your subdomains. LE requests are public so if you get a cert for a specific subdomain everybody will know about it. local.my.dom will be known but since that's only used on my LAN it doesn't matter.

Then what I do for externally exposed apps is to point my.dom to an IP (A record) and either make a wildcard CNAME for everything *.my.dom to my.dom, or explicit subdomain CNAME's as needed, also to my.dom.

This way you only have one record to update for the IP and everything else will pick it up. I prefer the second approach and I use a cryptic subdomain name (ie. don't use jellyfin.my.dom) so I cut down on brute force guessing.

The IP points at my router, which forwards 443 (or a different port of you prefer) to a reverse proxy that uses the *.my.dom LE cert. If whatever tries to access the port doesn't provide the correct full domain name they get an error from the proxy.

For the internal stuff I use dnsmasq which has a feature that will override all DNS resolves for anything ending with .local.my.dom to the LAN IP of the reverse proxy. Which uses the *.local.my.dom LE cert for these ones but otherwise works the same.

[–] [email protected] 0 points 10 months ago* (last edited 10 months ago)

You are completely correct...for normal certs. Internal domains require a wild card cert with DNS challenge.

This video explains how to set it up with traefik

https://youtu.be/liV3c9m_OX8

I'd bet caddy can do something similar.

Basically you have:

  1. Seafile.domain.com -> has it's own cert
  2. *.local.domain.com -> has its own cert but the * can be anything and the same cert can be used for anything in place of the star as many times as you want and therefore doesn't need to be internet accessible to verify. That way vaultwarden.local.domain.com remains local only.