Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I'm not using a private CA for my internal services, just plain self-signed certs. But if I had to, I would probably go as simple as possible in the first time: generate the CA cert using ansible, use ansible to automate signing of all my certs by the CA cert. The
openssl_*
modules make this easy enough. This is not very different from my current self-signed setup, the benefit is that I'd only have to trust a single CA certificate/bypass a single certificate warning, instead of getting a warning for every single certificate/domain.If I wanted to rotate certificates frequently, I'd look into setting up an ACME server like [1], and point
mod_md
orcertbot
to it, instead of the default letsencrypt endpoint.This still does not solve the problem of how to get your clients to trust your private CA. There are dozens of different mechanisms to get a certificate into the trust store. On Linux machines this is easy enough (add the CA cert to
/usr/local/share/ca-certificates/*.crt
, runupdate-ca-certificates
), but other operating systems use different methods (ever tried adding a custom CA cert on Android? it's painful. Do other OS even allow it?). Then some apps (Web browsers for example) use their own CA cert store, which is different from the OS... What about clients you don't have admin access to? etc.So for simplicity's sake, if I really wanted valid certs for my internal services, I'd use subdomains of an actual, purchased (more like renting...) domain name (e.g.
service-name.internal.example.org
), and get the certs from Let's Encrypt (using DNS challenge, or HTTP challenge on a public-facing server and sync the certificates to the actual servers that needs them). It's not ideal, but still better than the certificate racket system we had before Let's Encrypt.Finally got around to replying to the comments I got haha!
Thanks for the explanation. I'm curious why you're not running your own CA since that seems to be a more seamless process than having to deal with ugly SSL errors for every website, every time you rotate the certificate.
I'm wondering about different the process is between running an ACME server and another daemon/process like
certbot
to pull certificates from it, vs writing an ansible playbook/simple shell script to automate the rotation of server certificates.About my clients: I am likely never going to purchase Apple products since I recognise how much they lock down their device. Unfortunately, there are not that many android devices in the US with custom ROM support. With that said, I do plan to root all of my Android devices when KernelSU matures (in about a year, I think) - I'm currently reading up on how to insert a root and client certificate into Android's certificate store, but I think it's definitely possible. Other than that, I might have a throwaway Windows VM sometimes, which is doable, alongside a Void linux box with a Debian chroot. All in all, fairly doable, just a bit of work to automate.
Thanks!
It's not, it's another service to deploy, maintain, monitor, backup and troubleshoot. The ugly SSL warning only appears once, I check the certificate fingerprint and bypass the warning, from there it's smooth sailing. The certificate is pinned, so if it ever changes I would get a new warning and would know something shady is going on.
I don't really rotate these certs, they have a validity of several years.
mod_md
and the HTTP-01 challenge. But it requires a domain name in the public DNS, and port forwarding.hear hear
I bought a cheap refurbished Samsung, installed LineageOS on it (Europe, but I don't see why it wouldn't work in the US?), without root - I don't really need root, it's a security liability, and I think the last time I tried Magisk it didn't work. The only downside is that I have to manually tap
Update
for F-Droid updates to run (fully unattended requires root).I did it on that LineageOS phone, using
adb push
, can't remember how exactly (did it require root? I don't know). It works but you get a permanent warning in your notifications telling you that The network might be monitored or something. But some apps would still ignore it.Samsung devices in the US have their bootloaders locked, regardless of whether you bought it from a carrier or not. I'll be looking at other devices, and even then, custom ROM support has all but stopped for everything but the pixel. Living in Europe is great for this, for you have the FP5 available.
Apps with their own certificate store like Firefox? Yeah, I'm thinking about how I can deal with that. Is there a FOSS Android MDM solution that I can use?