Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.

Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.

  • douglasg14b@lemmy.worldEnglish
    0·
    3 days ago

    I just:

    1. Have my router setup with DNS for domains I want to direct locally, and point them to:
    2. Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API. Anytime I add a new domain or subdomain for reverse proxine to a particular device on my network a valid certificate is automatically generated for me. They are also automatically renewed
    3. Navigation I do within my local network to these domains gives me real certificates.
    • LovableSidekick@lemmy.worldEnglish
      0·
      2 days ago

      When somebody says they “just” reverse the polarity of the navigational deflector array and channel power directly from the warp core.

      I can’t even get host mapping to work on my Centurylink router - the name is defined for the IP address but nothing else on my network can browse to it by name, only by IP. - software dev who has never understood networking.

      • douglasg14b@lemmy.worldEnglish
        0·
        2 days ago

        In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.

        All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.

    • Celestus@lemm.eeEnglish
      0·
      3 days ago

      FYI, all the certs you generate are public record, so it might be a good idea to use a wildcard route in Caddy. That will make it only generates one cert, so no one can find your internal domain names. Especially if your Caddy instance is accessible from the Internet, and you’re expecting external connections not to be able to access domains with only internal DNS records

      • douglasg14b@lemmy.worldEnglish
        0·
        2 days ago

        That’s a good call out.

        There are a few things I do right now:

        1. All of my public DNS entries for the certs point at cloudflare, not my IP.
        2. My internal Network DNS resolver will resolve those domains to an internal address. I don’t rely on nat reflection.
        3. I drop all connections to those domains in cloudflare with rules
        4. In caddy, I drop all connections that come from a non-internal IP range for all internal services. Additionally I drop all connections from subnet that should not be allowed to access those services (network is segmented into VLANs)
        5. I use tailscale to avoid having to have routes from the Internet into my internal services for when I’m not at home.
        6. For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.

        Hopefully this information helps someone else that’s also trying to do this.