Maybe this is more of a home lab question, but I’m utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I’ve tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.

Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let’s Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don’t have to fiddle with every machine that uses every service I’m hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.

UPDATE:

Here’s what I ended up doing:

  1. set up cloudflare as the DNS provider for my domain
  2. use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
  3. Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
  4. Visit the websites and confirm that HTTPS works.

There are some other hiccups that I’m guessing aren’t related to HTTPS. Per My earlier question about self hosting, I’m experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That’s a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.

  • towerful@programming.devEnglish
    31·
    2 days ago

    You need to control a domain, so LE can verify you are the controller of the domain, then LE will issue you a certificate saying you are the controller of the domain.

    For a wildcard LE cert, you need to use the DNS challenge method.
    Essentially the ACME client (or certbot or whatever) will talk to LE and say “I want a DNS challenge for *.example.com”.
    LE will reply “ok, your order number 69, and your challenge code is DEADBEEF”.
    ACME then interacts with your public nameserver (or you have to do this manually) and add the challenge code as a txt record _acme-challenge.example.com. (I’ve been caught out by the fact LE uses Google DNS for resolution, and Google will only follow 1 level of NS records from the root authorative nameserver).
    All the while, LE is checking for that record. When it finds the record, it mints a wildcard certificate.
    ACME then periodically checks in with LE asking for order 69. Once LE has minted the cert, it will return it to acme.
    And now you have a wildcard cert.

    So, how to use it on a local domain?
    Use a split horizon DNS method.
    Ensure your DHCP is handing out a local DNS for resolving.
    Configure that local DNS to then use 8.8.8.8 or whatever as it’s upstream.
    Then load in static/override records to the local DNS.
    Pihole can do this. OPNSense/pfSense can do this. Unifi can do some of this.

    How does this work?
    Any device on your network that wants to know the IP of example.example.com will ask it’s configured DNS - the local DNS that you have configured.
    The local DNS will check it’s static assignments and go “yeh, example.example.com is 10.10.3.3”.
    If you ask you local DNS for google.com, it won’t have a static assignment for it, so it will ask it’s upstream DNS, and return that result.
    And it means you aren’t putting private IP spaces on public NS records.

    Then you can load in your wildcard cert to 10.10.3.3, and you will have a trusted HTTPS connection.

    Here is a list of LE clients that will automate LE certs.
    https://letsencrypt.org/docs/client-options/

    Have a read through and pick your desired flavour.
    Dig into the docs of that flavour, and start playing around.

    If it’s all HTTPS, consider using something like Nginx Proxy Manager (https://nginxproxymanager.com/) as a reverse proxy in front of your services and for managing the LE cert.
    It’s super easy to use, has a decent GUI, and then it’s only 1 IP to point all DNS records to.