I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.
I don’t care about necessarily doing this the “right” way, as I won’t be making Jellyfin or any other service public, and will only be using it on my local network.
What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.
Thanks!
The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.
This, letsencrypt with dns challenge, https://desec.io/ to manage the dns records https://github.com/go-acme/lego or traefik to manage the certificates and do the dns challenges for you.
Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
All they say that if the private key is stolen then you’re screwed. Think about it, if an attacker can:
- Get into your network.
- Presumably bypass key-based ssh/container runtime protections
- Access pod/VM which is running the CA
- Bypass default MAC settings (Apparmor on debian, SELinux on RHEL)
- Steal private key without you knowing from your logs
You have a much bigger problem my friend
While I agree with you, an attacker may not need to go to such lengths in order to get the PK. The admin might misplace it or have a backup somewhere in plain text. People aren’t also prone to look to logs and it might be too late when they actually noticed that the CA was compromised.
Managing an entire CA safely and deploying certificates > complex; Getting let’s encrypt certificates using DNS challenges > easy;
why is creating one’s own CA the wrong way? I don’t want to have to pay cloudflare or porkbun to run HTTPS at home
Because you have to manage it on your server and all your own machines, and it doesn’t provide any value if your server is hacked. It actually makes you less safe if your server is hacked, because then you can consider every machine that has that CA as compromised. There’s no reason to use HTTPS if you’re running your own CA. If you don’t trust your router, you shouldn’t trust anything you do on your network. Just use HTTP or use a port forward to localhost through ssh if you don’t trust your own network.
You don’t have to pay anyone to use HTTPS at home. Just use a free subdomain and HTTP validation for certbot.
I agree that it’s the wrong way, but not because of any of this other than the first half of the first sentence.
It’s the hard/wrong way because it means you are having to be responsible for securing the root cert private keys and because most people will do it wrong and set up a root cert with the ability to sign not just tls certs, and that’s where the problems can occur if the keys are compromised and you’ve set up all of your machines to trust it.
But it’s also not true that you shouldn’t use HTTPS or that you should trust your own network, not because of the router, but because of the devices. People don’t control their devices anymore. Many home automation devices, nanny cams, security devices, water leak detectors, etc., contain firmware that is poorly configured and can easily expose your network traffic if it’s not encrypted. Not to mention a lot of apps these days on smartphones are Trojans for spyware, Temu, WeChat, etc.
And as for cost, you can get a domain name for a few dollars per year or as mentioned, a subdomain from something like a DDNS service, so it definitely can be totally free to do it the right way.
Reverse proxy and letsencrypt. Doing custom certificates is more difficult and you would need to install and trust the certificate on all devices.
This assumes ownership of a domain if I’m not mistaken.
Otherwise, yes this is the easiest way.
There are dyndns providers that support the DNS challenge that have free tiers. Those are sufficient, and you can even get wildcard certs for your subdomain that way. Perfectly sufficient for a homelab.
I agree. Get a domain name, point it to the internal address of your NGINX Proxy manager (or other reverse proxy that manages certificates that you are used to). A bit of work initially, then trivial to add services afterwards.
I didn’t really need encryption for my internal services (although I guess that’s good), but I kept getting papercuts with browser warnings, not being able to save passwords, and some services (eg container repository on Forgejo) just flat out refusing to trust a http connection.
Yeah I guess installing a root CA cert (or an Intermediate, depending on how complex your setup is) and automatically rotating certs upon expiry isn’t the most trivial thing. With that said, dekstop linux/windows isn’t a problem. You could theoretically do it on iOS too. Android recently has completely broken this method, however, and there’s a fair few hoops one must jump over to insert a root CA into the Android trust store on Android 13 and later. I’d like find a way to do it just for browsers on Android using adb if possible
I usw nginxproymanager for that. It has an integrated function to create and update letsencrypt certificates. Creating a New host takes like 1 minute.
Nginx Proxy Manager is awesome for managing certificates. I have all of my services running behind it.
I do this too, have acls setup for my main LAN ips and all my internal hosts setup in opnsense in hosts override so they get redirected to NPM. Not sure if this is the correct way but it gives me all valid certificates. You could also do domain override and redirect just that domain to your NPM.
With caddy you can easily set up a local issued certificate for https. It would shine a nice warming on your browser unless you install the CA certificate on the computer you use to visit the site though.
https://caddyserver.com/docs/automatic-https#local-https
This is the easiest way I know how to do it. Caddy takes almost no configuration to get working.
