Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
I’ll mention this as no one has yet but you can be your own CA. Tools like mkcert make it easy
https://github.com/FiloSottile/mkcert
This is potentially more hassle (than using public DNS) as you have to get your CA certs onto every device. However it may be suitable depending on the situation.
Running your own CA is essentially still a form of self signed. Though it will work better for some use cases (at the cost of more complexity)
browsers complain less, and some apps (like HomeAssistant Android) only accept that
Trust the self signed cert. Works similarly to trusting a CA.
for every single subdomain, on desktop. firefox mobile does not even remember the decision. HA Android straight out refuses it, and thats not a local problem but a relatively known one in the community
Import it into the trust store in the browser/OS. It should be the same (or very similar) operation for a self-signed cert and a CA that isn’t subordinate to the standard internet root CAs.
If you can’t import your own root CA cert then you’re probably screwed on both fronts and are going to have to use certs issued by a public CA that’s subordinate to a commonly trusted root CA.
My point here is that there’s little distinguishing a self-signed cert and a cert issued by your own private CA for most people that are self-hosting.
Just create a wildcard domain certificate !
I access all my services in my lan through
https://servicename.home.lab/I just had to add the rootCA certificat (actually the intermediate certificate) into my trust store on every device. That’s what they actually do, just in automated way !Never had an issue to access my services with my self-signed certs, neither on Android, iOS, windows, linux ! Everything served from my server via my reverse proxy of choice (Treafik).
However I do remember that there was something of importance to make my Android device accept the certificate (something in certificate itself and the extension).
If you’re interested I can send you the snipped of a book to fully host your own CA :). It’s a great read and easy to follow !
that’s what I do already, but yeah I haven’t added it to the trust store so far, only on linux for git and curl
that would be interesting, thanks for the offer. but according to plan I don’t want to host a full-on CA, just make the CA cert, store them at a restricted place, and build other certs on top of it for use by nginx