this post was submitted on 14 Sep 2024
50 points (91.7% liked)

Firefox

17849 readers
73 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
[email protected]
50
On .LAN domains, how to stop firefox switching to https (when it's not available) and stop complaining about self-signed certificates when it is available ? (lemmy.ml)
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
25 comments fedilink hide all child comments
 

I'm just so annoyed of fighting this all the time.

If I can't figure this out I'm going to disable all https redirecting and all certificate errors off so I can have some peace

EDIT: I do not wish to manage certificates I do not want to setup private key infrastructure I don't want to use real internet domain names I don't want to manually install certificates into browsers after fishing them out of my ephemeral virtual machines

I just want to, add exception for *.lan for https auto redirect and auto-accept self-signed certificates as valid. This is not much to ask.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 17 points 1 month ago* (last edited 1 month ago) (3 children)

IMO it's easiest to just use a real domain for your local network. For example, I use subdomains of int.example.com, where example.com is my blog.

Then, you can get Let's Encrypt or ZeroSSL certificates for all the hosts. Systems do not need to be accessible over the internet - you can use an ACME DNS challenge instead of a HTTP one. Use something like certbot or acme.sh and renewals will be automated.

The only cost is for one domain, and some TLDs are less than $5/year. Check tld-list.com and sort by renewal price, not registration price (as some are only cheap for the first year).

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago) (1 children)

So you get a wildcard cert for the public domain, and only go one level deep on your LAN, reusing the wildcard cert? That's a pretty cool trick.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago)

I use a wildcard cert in some places, but most of them are individual certs. You can have multiple ACME DNS challenges on a single domain, for example _acme-challenge.first.int.example.com and _acme-challenge.second.int.example.com for first.int.example.com and second.int.example.com respectively.

The DNS challenge just makes you create a TXT record at that _acme-challenge subdomain. Let's Encrypt follows CNAMES and supports IPv6-only DNS servers, so I'm using some software called "acme-dns" to run a DNS server specifically for ACME DNS challenges. It's just listening on a IPv6 in one of my VPS /64 IPv6 range.

load more comments (1 replies)