Allibragi
The Immich app for Android has been updated and the connection to my instance broke. You don’t like self-signed certificates, I get that. But I don’t like opening my homelab up to "the Internet". I’ve had to open the ports on my router, generate the certificate with Let’s Encrypt, close the ports, and add a local DNS record in the Pi-hole. It’s a hassle for my use case. Does anyone have a better idea? #immich #ssl #letsencrypt
Apr 12 at 7:02pmWeb
Show threaddavd2d ago
@allibragi I'm using the DNS challenge, instead of HTTP. That way, I don't need to expose anything publicly. Basically my public DNS (subdomain with wildcard) points to the local IP of my reverse proxy for the homelab and via the proxy, I use these subdomains.
Show threadObsPy Dev Team 2d ago
@allibragi using immich on plain http but behind a vpn (builtin wireguard on fritzbox router at home). Works like a charm
Show threaddominik2d ago

@allibragi I've set up an internal reverse proxy (caddy) that gets a Let's Encrypt certificate for all my internal services. (Without opening any ports on the router.) To do this, I used these instructions from Vaultwarden:

https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let%27s-Encrypt-certs

It seems like a bit of a hassle at first, but once the domain and Caddy are set up, you can get a valid certificate for your service(s) in seconds.

Running a private vaultwarden instance with Let's Encrypt certs

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs - dani-garcia/vaultwarden

GitHub
Show threadRob!2d ago
@allibragi you could connect into your home network via a wireguard tunnel, so not exposing the imich instance
Show thread Olli Graf🚟1d ago
@allibragi If you use a VPN your phone ia alwys in you home network.
Show threadFelhasználó21h ago

@allibragi

I think two things are getting mixed here: not wanting to open ports, and not wanting to expose your #homelab to the internet. Your current approach (open ports → get cert → close ports) doesn’t really solve either cleanly.

If you only need internal access, you can just use a reverse proxy (e.g. #Caddy) with a DNS challenge (like #Cloudflare API). That way Let’s Encrypt works without opening any ports at all. Combined with #Tailscale, everything stays private, but you still get a proper trusted HTTPS cert and the app works fine.

If you do want external access but still don’t want to open ports, then Cloudflare #Tunnel or Tailscale #Funnel are options. Just be aware of trade-offs: Cloudflare has upload limits (which can matter for Immich), and Funnel is still not perfect for every use case.

In short: DNS challenge solves certs without port forwarding, Tailscale keeps it private, and tunnels are only needed if you want public access without opening ports.