rootJun 14, 2023

Self hosted services with SSL cert

https://lemmy.world/post/128929

Self hosted services with SSL cert - Lemmy.world

So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers. Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc). This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward. My questions: - Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com [http://jellyfin.mydomainname.com], it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server. - Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

Show threadphiJun 14, 2023
i have a similar setup at home. the way i did it was using certbot and dns verification. i pointed my domain's NSs to digitalocean's NS and then i downloaded the certbot-digitalocean-dns plugin, created an API key for DO and stored it somewhere and then certbot took care of everything else. nothing is exposed to the internet
Show threadrootJun 14, 2023
Very nice! And you don't have to worry about adding the cert to each device that wants to use the service, right? Since this isn't a self hosted CA.
Show threadjasonJun 14, 2023
Here’s a script to do it with several different DNS providers: https://github.com/acmesh-official/acme.sh I personally set the renew as a weekly cronjob and never have to think about it.
GitHub - acmesh-official/acme.sh: A pure Unix shell script ACME client for SSL / TLS certificate automation

A pure Unix shell script ACME client for SSL / TLS certificate automation - acmesh-official/acme.sh

GitHub
Show threadrootJun 15, 2023
Ooo, very nice! If I use that script, can I generate certificates for a made up domain within my network (eg *.homelab), or do I need to use a domain I actually own?
Show threadjasonJun 15, 2023
It would have to be a domain you actually own
Show threadroot
Got it, thank you!
Jun 15, 2023 at 7:40pmWeb