I love my homelab, and the more I tune things the more satisfaction I have. I tolerated the “Your connection is not private” for my self-signed SSL certs on my services for way too long.
I just setup NGINX Proxy Manager as a LXC on my Proxmox Server and pointed a subdomain I own to the server. Now I have custom domains for each service along with valid SSL Certificates. It’s all local without exposing anything to the outside world. It’s very satisfying. I tried explaining what I was doing to my GF but she could care less ¯\_(ツ)_/¯
Followed this video from Wolfgang’s Channel YouTube (great channel btw), the first minute does a better job explaining the setup. I always thought I would have to setup a local CA which is more work than I was interested in, but this approach was much simpler (and free!).
One day i will take my lazy ass and fix this too. Not today though, but some day!
Totally worth it. Was the same, thought it’s okay but totally changed it for me and not that hard to set up.
Yup, im pretty sure most people feel the same way.
Its been on my to do list for the past few years now
Indeed. Found this video as well recently and have gone as far as to bookmark it to watch later. How long later is TBD
Same here. I just don’t have a value. I disable login for some stuff cause it’s overkill. Nothing is exposed outside.
I took the time months ago to setup a wildcart cert with letsencrypt but they’re only good for like 3 months. The first time it expired I was like meh fuck it lol
I did this too, strange how satisfying seeing those lock symbols and custom domains are! Also use NPM, love the ease of use!
the custom domains are very nice! I use homer as a dashboard so I never really needed to memorize the IPs (though I still do), but now it’s even easier
How can you use NPM to help with this? I’ve only ever used it to install things!
Nginx Proxy Manager, not npm the package registry
Thanks for sharing ive wanted to fix my local certs but the idea if setting up a local CA doesn’t sound fun
Since your GF could care less, then at least they care to a certain degree…
Followed the same video from Wolfgang but I ran into a unique issue with google chrome throwing an error “Deceptive site ahead”. Safari and Edge don’t have any issues and display the site e.g Jellyfin with my custom domain just fine. I thought it could be an out of date chrome but both pc and mobile have the same issue.
Congrats! Good job!
I have had local SSL and in house DNS servers for many years now, and I feel you because my wife couldn’t care less.
She does find it annoying and confusing when we are traveling and the bedroom light doesn’t switch off by itself 🤷 - our home is fully automated as well
Welcome to the TLS family! I personally run my own CA, but the end result is the same. 🙂 Welcome and enjoy! 😛
Hiw can i set this up? Is it hard?
I have this guide bookmarked that I want to try one day: https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
That’s a good one! 👍 Happy cake day
No, it is not so difficult. But you need a bit of planning.
First of all, you need a way to distribute your ROOT certificate to your clients. That’s more a question of automation.
Second, you need to prepare the topology with certain rules. Things like dedicated certificates for people (identity), services (server certificates for dedicated subdomains), machine clients (for mTLS and zero-trust), infrastructure stuff like BMC/IPMI, UPS, routers…
Basically, the rules are:
- Self signed ROOT certificate
- Intermediate CA (signing certificate)
- (Optional) signing certificate
In case of multiple (dedicated) certificates, you want to make the split at the intermediate/signing level. The chain will help you enforce the rules.
You should decide which algorithm to use (RSA vs. ECC).
Finally, you need a piece of software that will create and sign the certificates for you. This software must authenticate you and check your request if it comforms to the rules above.
I’m using multiple instances of step-ca. Most of the famous certificate management solutions (the service side asking your authority for a certificate, including rekeying/renewal) support it. Which is good. Standard protocols are always better than in-house solutions workarounds.
To start building your CA:
- Learn about PKI (good start is RFC-5280
- Learn OpenSSL, how to deal with
openssl.conf
, sections, ASN.1 - If you need additional information on the certificate, register for your own Private Enterprise Number. Do not abuse existing attributes!
- Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
- Put your intermediate/signing key/certificate to
step-ca
as a ROOT and you’re good to go.
You can also incorporate HSM if you have one. Just configure its
pkcs11
module in the OpenSSL and in thestep-ca
.As it is quite a complex topic, feel free to drop additional questions. 👍
“not so difficult”
Well thanks, I feel like a complete moron, because that’s a level of complexity way beyond what I could do/manage.
It’s a bunch of terms I don’t know about, but I don’t think it’s very hard after you learn a bit more and understand the reasoning behind the steps.
I’d personally not want to host a personal CA without HA though, so I suppose I’m sticking with EFF for this one
Finally! A
worth opponentfellow who also cares about having proper OIDs and AIA :)Prepare HTTP (plain HTTP, no TLS) server to serve your intermediate/signing certificates (for AIA protocol) and CRL (for validation)
Or create a repository on Github, point
ca.yourdomain.com
to Github Pages and publish there. Doing this solves the PKI chicken-and-egg problem for a homelab and doesn’t tie up any resources to serve them.HTTP! Not HTTPS! No chicken and egg problem here.
Well yes, i understood some of these words.
Thank you, I’m actually currently building my CA. Planning for an offline root. Question, what free or not enterprise prices software options are there? I have entrust at work, looking for something I can use at home.
For my Root I use OpenSSL with the
pkcs11
module to keep the keys on a Yubikey, then I use Step CA as an intermediate/issuing.Ha! You run the same stack as I do. 🙂
I asked EODdoUbleU on the parent comment here, but could you please reply to that question as well?
How are you handling RootCA secrets? Right now, I’m using a (couple) USB drive with a two Luks partitions, one for CA key backup and Yubikey management and PUK keys, then one that only contains the PIN which is fetched by OpenSSL using
-passin file:xxx
.I’ve been a little concerned about being able to properly back all that up, so I was thinking about using KeepassXC and the CLI tool to replace the partitions.
Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?
Also, which Yubikey slot do you use for storing the cert/pkey?
Sometimes my wife will ask me to explain technology things in great detail when she’s having trouble falling asleep.
This is
Adorably patronizing? Lol
Yeah, that’s normal. 🤓😎
Lol. My wife does the sam
Sam sounds like a homewrecker
I hear Jodi is worse.
If anyone wants to explain Nginx, reverse proxies and Cloudflare tunnels I’m here for it.
Think of a reverse proxy as a middle man.
Internet comes in to your internet connection and immediately asks “cool story bro…where do I find XYZ service?”
A reverse proxy works by your modem or router saying “ffs bro I have no idea, all I know is you need to go talk to Apache”
So the internet traffic walks over and says “the modem told me to talk to you about getting to XYZ service?”
Apache goes ahead and responds “dude I got you…that service. It lives over here at 192.168.0.12:1234. In fact let me go get it for you so that you don’t have to go anywhere else. Here’s what you are looking for, you can just go through me and I’ll get you the things you want.”
So the internet traffic continuously goes through Apache, Nginx proxy, traefik etc to get the things it wants and Apache Nginx etc just work as a middle man.
I have a lot of not very good YouTube videos explaining how to reverse proxy from Apache to a bunch of services…unifi proxmox esxi and others. As well as videos explaining how to get star certs setup and things like that.
But in a nutshell. That’s what’s going on.
Thank you for this simple yet effective explanation.
I’m gonna get yelled at but… why? What does this do for the network? Does it make it faster? Safer? Just feels like another thing that could break and then the wife breaks me with “it’s not working.”
Lmfao
My husband is the same way.
Him: what are you doing?
Me: Do you really want me to explain?
Him: yes.
Me: I’m moving data from …
Him: never mind. I don’t care.
I’m at the point of being exasperated whenever she asks, since I know three words into my response she’ll lose focus
Hosting a Plex server is the one thing my lab does that shows value to her, as long as that’s up no complaints
Recently I put nginx in front of all the services in my homelab so I can have subdomains associated with each server but did not bother to setup ssl because it’s all in my local network.
Guess what I’ll be doing this weekend now 😬
I have the same! Really cool :) Only trouble I have is getting clients to connect properly to some of the services through a forwarded port. Think they only use the port for initial connection and then something fails with connection tracking
Make sure you enable websockets, I had to do that for a few services like HomeAssistant. Also some things like Proxmox required custom NGINX config for shell consoles to work
proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { proxy_pass $forward_scheme://$server:$port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; }
I use HAProxy on pfSense with wildcard LetsEncrypt certs and a firewall rule only to allow connections from the WAN IP Address.
It’s really easy and requires no certificates on the target servers.
My setups are similar. HAProxy as an SSL terminator for all domains. Unencrypted proxy to the services after that. Nginx can use v2 proxy which is nice.
I have a bunch of scripts that collect all the domains and then generate / renew the certs with acme.sh . HAProxy can reload certs with no downtime as well.
Yeah, but you are exposing the full network map to the whole internet
Wolfgang’s channel is indeed a great one! You are doing great, keep it up!
Wolfgang’s Channel is pretty good, i also recommend it.
And congrats OP, i know lots of big enterprises who still use their own vCenters with self signed certs (and other internal apps as well) and it’s a real pain in the ass to type hacks just to bypass HSTS everytime it’s necessary to access them. Talking about billion dollars companies, yeah.
Does this solution suffer from rebinding, burp hmmm taco says halo btw 😁