How are y’all managing internal network certificates?

At any point in time, I have between 2-10 services, often running on a network behind an nginx reverse proxy, with some variation in certificates, none ideal. Here’s what I’ve done in the past:

  • setup a CLI CA using openssl
    • somewhat works, but importing CAs into phones was a hassle.
  • self sign single cert per service
    • works, very kludgy, very easy
  • expose http port only on lo interface for sensitive services (e.g. pihole admin), ssh local tunnel when needed

I see easy-RSA seems to be more user friendly these days, but haven’t tried it yet.

I’m tempted to try this setup for my local LAN facing (as exposed to tunnel only, such as pihole) services:

  • Get letsencrypt cert for single public DNS domain (e.g. lan.mydomain.org)… not sure about wildcard cert.
  • use letsencrypt on nginx reverse proxy, expose various services as suburls (e.g. lan.mydomain.org/nextcloud)

Curious what y’all do and if I’m missing anything basic.

I have no intention of exposing these outside my local network, and prefer as less client side changes as possible.

    • cwagner@lemmy.cwagner.me
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      Yeah, that’s what I do. I use Caddy as a reverse proxy and have it configured for a DNS challenge. My domains for local services point to my internal caddy server IP, e.g. paperless.cwagner.me resolves to 192.168.1.132. Effortless and normal certificates.

      • Manmoth@lemmy.ml
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Fellow Caddy user here. I’d love to set that up. Can you share your Caddyfile or at least the important snippets?

        • cwagner@lemmy.cwagner.me
          link
          fedilink
          English
          arrow-up
          5
          ·
          1 year ago

          That’s pretty simple ;) If I had only paperless running, this would be the whole Caddyfile

          {
                  acme_dns gandi api-key-here
                  email letsencryptemail@example.org
          }
          paperless.cwagner.me {
                  reverse_proxy 192.168.1.232:8000
          }
          

          I use Gandi for my domain, so I need the Gandi DNS module, which is not there by default, so you need to use one of the ways on that page to get it in.

        • TechAdmin@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I have public wildcard DNS entry (*.REMOVEDDOMAIN.com) on Cloudflare on my primary domain that resolves to 192.168.10.120 (my Caddy host)

          Caddyfile

          {
            email EMAILREMOVED@gmail.com
            acme_dns cloudflare TOKENGOESHERE
          }
          
          portal.REMOVEDDOMAIN.com {
            reverse_proxy 127.0.0.1:8081
          }
          
          speedtest.REMOVEDDOMAIN.com {
            reverse_proxy 192.168.10.125:8181
          }