How are y’all managing internal network certificates?
At any point in time, I have between 2-10 services, often running on a network behind an nginx reverse proxy, with some variation in certificates, none ideal. Here’s what I’ve done in the past:
- setup a CLI CA using openssl
- somewhat works, but importing CAs into phones was a hassle.
- self sign single cert per service
- works, very kludgy, very easy
- expose http port only on lo interface for sensitive services (e.g. pihole admin), ssh local tunnel when needed
I see easy-RSA seems to be more user friendly these days, but haven’t tried it yet.
I’m tempted to try this setup for my local LAN facing (as exposed to tunnel only, such as pihole) services:
- Get letsencrypt cert for single public DNS domain (e.g. lan.mydomain.org)… not sure about wildcard cert.
- use letsencrypt on nginx reverse proxy, expose various services as suburls (e.g. lan.mydomain.org/nextcloud)
Curious what y’all do and if I’m missing anything basic.
I have no intention of exposing these outside my local network, and prefer as less client side changes as possible.
I use NPM (Nginx Proxy Manager) to handle all my reverse proxying and SSL certs. Authelia easily ties in to handle my SSO. What a time to be alive!
Certbot in cron if you’re still managing servers.
I’m using cert-manager in kube.
I haven’t manually managed a certificate in years… Would never want to do it again either.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network nginx Popular HTTP server
[Thread #155 for this sub, first seen 22nd Sep 2023, 05:05] [FAQ] [Full list] [Contact] [Source code]
If your running behind OPN/PFsense I’ve found the easiest solution for internal only SSL is to use the router to create the certificate chains. Yes you’ll have to import 1 CA cert on each end user device but only the one then you can crank out internal certs without and https warnings or domain constraints/challenges.
I run freeipa internally, which handles all internal https certs (as well as nice things like handling non sudo auth so I can just ssh to machines from an already authed machine without a PW prompt, and doing ldaps for internal things that support it)
For external web, I have a single box running nginx as a reverse proxy thats web exposed. That nginx box has letsencrypt certs for the public web stuff. The nginx rp has the internal CA on it and will validate the internal https certs (no mullet SSL here!)
I also do different domains for internal vs external, but thats not a requirement for a setup like this
You should be able to do wildcards with acme V2 and a dns challenge: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
You would manage internal dns and would never need to expose anything as it’s all through validation through a TXT record.
You could use also something like traefik to manage the cert generation and reverse proxying:
deleted by creator
