Mastodawn

Been a while since I blogged, so it's time for the latest installment in "Edd massively over-complicates things with SSH certificates" This time, a post about how I got rid of the need to create a new sub account on my #Hetzner Storage Box every time I wanted to create a new VM and back it up with #Borg. Definitely easier ways to have achieved it, but it shows of the versatility of ssh certificates, and #StepCA that's powering them in my home lab.

https://i.am.eddmil.es/posts/sshcertsborg/

#Borgmatic #Homelab #ssh

Adapting Step CA's SSH user certificates to safely automate provisioning Borg backups on Hetzner Storage Boxes

Intro Over the Christmas break, I suffered a complete NAS failure, and thanks to QNAP’s custom extensions to the standard Linux software RAID, I wasn’t able to recover any data off it. Now, of course, I had backups; and everything I had backed up (except for my Bluesky PDS, which I barely use) restored absolutely fine. However, I was not backing everything up. This was because my backup setup for a new server in my home lab was largely a manual process, and there were a number of services I decided weren’t worth the effort. Having now had to spend the time rebuilding them all, I regret that decision, and so now I wanted to fix the issue, so the backups were automatically setup whenever I deployed a host. This post will explain how I achieved that using SSH Certificates, because I am an unapologetic SSH certificate fanboy.

I Am Edd Miles

Show thread

Frank B May 15

Was soll ich sagen ...
Wieder 2 Tage Lebenszeit verschwendet und kein Schritt vorwärts. Zwar läuft #StepCA scheinbar korrekt im LXC (per #CommunityScript erzeugt), aber ich bekomme weder manuell ein #SSL raus noch per #ACME Anfrage.

Blöd ist halt, dass immer mehr (lokale) Tools ohne SSL eben nicht sauber funktionieren wollen/können.
Wenn das so weiter geht muss ich das #selfhosting wieder abschaffen, denn irgendwann brauche ich mal was Funktionierendes ...

Frank B May 14

Ich glaube ich brauch mal das geballte Wissen der #Homelab Nerds ... 😉

Ich habe hier zuhause schon einige Server, Tools & Co zum Laufen gebracht. Mal zum Testen und oft auch im Produktivbetrieb.

Aber seit Monaten und mit mittlerweile locker 5-10 Anläufen schaffe ich es partout nicht, mit #StepCA meine lokalen #SSL Zertifikate zu realisieren.
Ich renne von Fehler in Fehler - trotz PVE CommunityScripts ...

Wie war das bei euch? Hat es gut geklappt? Wo waren Knackpunkte?

#Heimnetz #PVE

Show thread

Jeremy, aka Jaharmi May 9

@owen I don’t find it that bad with #stepca. It’s not exactly trivial, but it’s possible. If more things I run — or want to run — had a “step” client or #acme (and not just support for #LetsEncrypt), it would be much easier.

Julien Riou Apr 9

My homelab is now using NRPE with TLS thanks to the private PKI I deployed this week-end.

#homelab #selfhosting #tls #ssl #stepca

Julien Riou Apr 8

My ACME certificates generated by step-ca don't have a "subject" but they have SANs. Unfortunately, OpenVPN seens to require a subject to work.

#openvpn #stepca #tls #acme

Julien Riou Apr 6

Achievement unlocked 🔓

My homelab has now valid internal TLS certificates automatically renewed by certbot on a step-ca server.

#homelab #selfhosting #stepca #tls #certbot

Julien Riou Apr 6

Step CA configured with PostgreSQL backend and the ACME provider in my homelab. Clients trust the CA. Next steps: configure certbot and add monitoring to check certificates expiration.

#homelab #selfhosting #postgresql #certbot #tls #stepca

Julien Riou Apr 3

I have been managing my own CA for NRPE and OpenVPN by hand but I always forget how to (re)generate the certificates. I'll give step-ca a try this weekend and follow the @jwildeboer blog post https://jan.wildeboer.net/2025/07/letsencrypt-homelab-stepca/
#homelab #selhosting #stepca

Be the LetsEncrypt in your homelab with step-ca

So you have a Cute Homelab and you want to use it to secure your services and containers with x509 certificates? But your homelab isn’t on the internet, so you can’t simply use LetsEncrypt? Well. You can become your own LetsEncrypt and hand out certificates with certbot. You “just” need to run your own CA (Certificate Authority). Sounds frightening and complicated? It kinda is, but not really when you use step-ca, an open source solution that you can run in a container.

Jan Wildeboer's Blog

Daniel S. Reichenbach Mar 31

My new homelab has progressed. I now have SmallStep CA running, with ACME enabled, and InfluxDB 3 with Grafana.

Its not much but it is a start.

#homelab #stepca #grafana