this post was submitted on 01 Dec 2023
62 points (100.0% liked)

Selfhosted

40041 readers
697 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
62
Do you run a private CA? Could you tell me about your certificate setup if you do? (lemmy.world)
submitted 11 months ago* (last edited 11 months ago) by [email protected] to c/[email protected]
61 comments fedilink hide all child comments
 

Hi, I was looking at private CAs since I don't want to pay for a domain to use in my homelab.

What is everyone using for their private CA? I've been looking at plain OpenSSL with some automation scripts but would like more ideas. Also, if you have multiple reverse-proxy instances, how do you distribute domain-specific signed certificates to them? I'm not planning to use a wildcard, and would like to rotate certificates often.

Thanks!

Edit: thank you for everyone who commented! I would like to say that I recognise the technical difficulty in getting such a setup working compared to a simple certbot setup to Let's Encrypt, but it's a personal choice that I have made.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

I’m curious why you’re not running your own CA since that seems to be a more seamless process than having to deal with ugly SSL errors for every website

It's not, it's another service to deploy, maintain, monitor, backup and troubleshoot. The ugly SSL warning only appears once, I check the certificate fingerprint and bypass the warning, from there it's smooth sailing. The certificate is pinned, so if it ever changes I would get a new warning and would know something shady is going on.

every time you rotate the certificate.

I don't really rotate these certs, they have a validity of several years.

I’m wondering about different the process is between running an ACME server and another daemon/process like certbot to pull certificates from it, vs writing an ansible playbook/simple shell script to automate the rotation of server certificates.

  • Generating self-signed certs is ~40 lines of clean ansible [1], 2 lines of apache config, and one click to get through the self-signed cert warning, once.
  • Obtaining Let's Encrypt certs is 2 lines of apache config with mod_md and the HTTP-01 challenge. But it requires a domain name in the public DNS, and port forwarding.
  • Obtaining certs from a custom ACME CA is 3 lines of apache config (the extra line is to change the ACME endpoint) and a 100k LOC ACME server daemon running somewhere with its own bugs, documentation, deployment and upgrade management tooling, config quirks... and you still have to manage certs for this service. It may be worth it if you have a lot of clients who don't want to see the self-signed cert warning and/or worry about their private keys being compromised and thus needing to rotate the certs frequently (you still need to protect the CA key...)

likely never going to purchase Apple products since I recognise how much they lock down their device

hear hear

there are not that many android devices in the US with custom ROM support. With that said, I do plan to root all of my Android devices when KernelSU mature

I bought a cheap refurbished Samsung, installed LineageOS on it (Europe, but I don't see why it wouldn't work in the US?), without root - I don't really need root, it's a security liability, and I think the last time I tried Magisk it didn't work. The only downside is that I have to manually tap Update for F-Droid updates to run (fully unattended requires root).

I’m currently reading up on how to insert a root and client certificate into Android’s certificate store, but I think it’s definitely possible.

I did it on that LineageOS phone, using adb push, can't remember how exactly (did it require root? I don't know). It works but you get a permanent warning in your notifications telling you that The network might be monitored or something. But some apps would still ignore it.

[–] [email protected] 2 points 11 months ago

Europe

Samsung devices in the US have their bootloaders locked, regardless of whether you bought it from a carrier or not. I'll be looking at other devices, and even then, custom ROM support has all but stopped for everything but the pixel. Living in Europe is great for this, for you have the FP5 available.

But some apps would still ignore it.

Apps with their own certificate store like Firefox? Yeah, I'm thinking about how I can deal with that. Is there a FOSS Android MDM solution that I can use?