Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.

Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.

UPDATE:

Here’s what I ended up doing:

  1. set up cloudflare as the DNS provider for my domain
  2. use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
  3. Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
  4. Visit the websites and confirm that HTTPS works.

There are some other hiccups that I’m guessing aren’t related to HTTPS. Per My earlier question about self hosting, I’m experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That’s a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.

  • A Mouse@midwest.socialEnglish
    981·
    2 days ago

    I use Caddy for this. I’ll leave links to the documentation as well as a few examples.

    Here’s the documentation for wildcard certs. https://caddyserver.com/docs/automatic-https#wildcard-certificates

    Here’s how you add DNS providers to Caddy without Docker. https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148

    Here’s how you do it with Docker. https://github.com/docker-library/docs/tree/master/caddy#adding-custom-caddy-modules

    Look for the DNS provider in this repository first. https://github.com/caddy-dns

    Here’s documentation about using environment variables. https://caddyserver.com/docs/caddyfile/concepts#environment-variables

    Docker

    A few examples of Dockerfiles. These will build Caddy with DNS support.

    DuckDNS

    FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/duckdns

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

    Cloudflare

    FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

    Porkbun

    FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/porkbun

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

    Configure DNS provider

    This is what to add the the Caddyfile, I’ve used these in the examples that follow this section. You can look at the repository for the DNS provider to see how to configure it for example.

    DuckDNS

    https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples

    tls {
	dns duckdns {env.DUCKDNS_API_TOKEN}
}

    CloudFlare

    https://github.com/caddy-dns/cloudflare?tab=readme-ov-file#caddyfile-examples Dual-key

    tls {
	dns cloudflare {
		zone_token {env.CF_ZONE_TOKEN}
		api_token {env.CF_API_TOKEN}
	}
}

    Single-key

    tls {
	dns cloudflare {env.CF_API_TOKEN}
}

    PorkBun

    https://github.com/caddy-dns/porkbun?tab=readme-ov-file#config-examples Global

    {
        acme_dns porkbun {
                api_key {env.PORKBUN_API_KEY}
                api_secret_key {env.PORKBUN_API_SECRET_KEY}
        }
}

    or per site

    tls {
	dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	}
}

    Caddyfile

    And finally the Caddyfile examples.

    DuckDNS

    Here’s how you do it with DuckDNS.

    *.example.org {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.example.org
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

    Also you can use environment variables like this.

    *.{$DOMAIN} {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

    CloudFlare

    *.{$DOMAIN} {
        tls {
	        dns cloudflare {env.CF_API_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

    Porkbun

    *.{$DOMAIN} {
        tls {
	        dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	        }
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}
    • sugar_in_your_tea@sh.itjust.worksEnglish
      2·
      13 hours ago

      I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn’t require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.

    • theparadox@lemmy.worldEnglish
      12·
      2 days ago

      Thanks for being so detailed!

      I use caddy for straightforward https, but every time I try to use it for a service that isn’t just a reverse_proxy entry, I really struggle to find resources I understand… and most of the time the “solutions” I find are outdated and don’t seem to work. The most recent example of this for me would be Baikal.

      Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?

      Thanks!

    • conrad82@lemmy.worldEnglish
      5·
      2 days ago

      I do the same!

      I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!

      https://github.com/caddy-dns/duckdns?tab=readme-ov-file#challenge-delegation

      Challenge delegation

      To obtain a certificate using ACME DNS challenges, you’d use this module as described above. But, if you have a different domain (say, my.example.com) CNAME’d to your Duck DNS domain, you have two options:

      1. Not use this module: Use a module matching the DNS provider for my.example.com.
      2. Delegate the challenge to Duck DNS.
    • Monument@lemmy.sdf.orgEnglish
      2·
      2 days ago

      The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.