Selfhosted

57595 readers

1946 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

ruud@lemmy.world

Loki@lemmy.world

CannaVet@lemmy.world

HybridSarcasm@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

SSL certificates for things inside the lab (lemmy.zip)

submitted 18 hours ago by gblues@lemmy.zip to c/selfhosted@lemmy.world

25 comments fedilink hide all child comments

Hello everyone. Need some opinions here. Does it worth all the trouble to make things like jellyfin and immich run with HTTPS for services that are only accesible in the LAN? I ask it 'cause, as far as I know, there is no way to put a valid certificate like let's encrypt for a service that is not accessible from the net and I don't plan to buy a certificate for myself. But I have some trouble with the rest of my family having issue with their browsers complaining about the lack of https every time a browser is updated. So, what would be the best solution?

you are viewing a single comment's thread
view the rest of the comments

[–] 4am@lemmy.zip 5 points 14 hours ago* (last edited 14 hours ago) (1 children)

Wildcard is actually good these days because you don’t have to set up DNS entries for your hostnames.

It’s not security, just obscurity - but in the age of crawlers, it’s helpful.

Also, you can use it internally for services on LAN and because LetsEncrypt is a CA everyone trusts, you don’t need to register a local CA (like a FreeIPA instance) with all your devices- which sometimes isn’t possible.

EDIT: you can also use DNS01 challenges and instead of proving yourself by serving up a challenge response from a server, you prove ownership by adding a DNS TXT entry with the response. It is safer, from a security perspective, to use one cert per service.

[–] plateee@piefed.social 1 points 14 hours ago

it's not security, just obscurity

IIRC for my setup it's a bit of both. My DNS API key is scoped to only handle the specific subdomain updates instead of my entire DNS account.

I still use a wildcard for that subdomain for non-kubernetes systems, but the cert plugins for kubes is excellent at handling a LE cert per lan fqdn.

You don't need to register a local CA

This was my biggest reason to move to Let's Encrypt. I have a Hashicorp Vault instance in my homelab for secrets and I tried using it for an internal CA (like how the lab at work is set up), but trying to get on every device and add the full Vault chain to each individual system's trust store was massive pain in the ass.