Homelab

371 readers

3 users here now

Rules

Be Civil.
Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
No memes or potato images.
We love detailed homelab builds, especially network diagrams!
Report any posts that you feel should be brought to our attention.
Please no shitposting or blogspam.
No Referral Linking.
Keep piracy discussion off of this community

founded 1 year ago

MODERATORS

communick@selfhosted.forum

rglullis

Certificates for locally self-hosted services? (alien.top)

submitted 1 year ago by deanfourie1@alien.top to c/homelab@selfhosted.forum

5 comments fedilink hide all child comments

So i'm familiar with certs and domain names etc, and CA's on the internet, but what I want to do is create a cert for all my LAN based services that have a login page, just to prevent local MITM attacks. Things like

pfSense
Netbox
HomeAssistant
piHole

all these locally accesses webservers, is it possible to create a cert and install on the devices I will be accessing them from? Do I need a CA to be running all the time to validate this CERT?

I also have a domain name, and was thinking about creating records for each service, such as

pfsense.domain.com, and just adding static DNS entries so these A records are only able to be resolved locally.

Has or does anyone currently do this?

Thanks

https://preview.redd.it/g0v814pqtwxb1.png?width=1200&format=png&auto=webp&s=97ad97e58337c5972f01e625f00e8af5c59ed553

top 5 comments

sorted by: hot top controversial new old

[–] nolo_me@alien.top 1 points 1 year ago

I don't have a static IP, so I had to do it by a roundabout route. First I set up dynamic DNS at mydomain.duckdns.org and configured pfsense to update it, then I CNAMED lan.mydomain.com to it. I used the ACME package on pfsense to grab a wildcard cert for *.lan.mydomain.com, set up local DNS records in pfsense's resolver for the various services and proxied them in pfsense's HAProxy package.

[–] stormridersp@alien.top 1 points 1 year ago

Check wildcard certificates via Let's Encrypt.

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

[–] ztasifak@alien.top 1 points 1 year ago

Caddy or traefik or swag do this. These act as reverse proxies.

[–] Couch941@alien.top 1 points 1 year ago

https://www.reddit.com/r/homelab/s/CJgidijPD6 Or just caddy and stuff, although it doesn't work for me

[–] jaredearle@alien.top 1 points 1 year ago

Wildcard certificates and HAProxy on pfSense is how I do it.