Maybe this is more of a home lab question, but I'm utterly clueless regarding PKI and HTTPS certs, despite taking more than one class that goes into some detail about how the system works. I've tried finding guides on how to set up your own CA, but my eyes glaze over after the third or fourth certificate you have to generate.
Anyway, I know you need a public DNS record for HTTPS to work, and it struck me recently that I do in fact own a domain name that I currently use as my DNS suffix on my LAN. Is there a way I can get Let's Encrypt to dole out a wildcard certificate I can use on the hosts in my LAN so I don't have to fiddle with every machine that uses every service I'm hosting? If so, is there a guide for the brain dead one could point me to? Maybe doing this will help me grock the whole PKI thing.
UPDATE:
Here's what I ended up doing:
- set up cloudflare as the DNS provider for my domain
- use certbot plus the cloudflare DNS plugin to create a wildcard cert. Because I want to use wildcard certs and because the web servers are on a NATed private LAN, HTTP-01 challenge cannot be used. Wildcard certs use a DNS challenge. From what I understand of the certbot docs, the HTTP challenge makes a certain HTTP resource available on the web server, then requests that resource, presumably via an external client, to verify that you own the domain. the DNS challenge works by temporarily placing a TXT record in your DNS server. This method requires your DNS provider to have an accessible API that allows the modification of resource records.
- Once the cert and key are generated, I place them on the servers I want to to make use of them and set up the web server accordingly.
- Visit the websites and confirm that HTTPS works.
There are some other hiccups that I'm guessing aren't related to HTTPS. Per My earlier question about self hosting, I'm experimenting with NodeBB. I cannot get the two test instances to federate, which I initially assumed was an issue with HTTPS. That's a question best asked elsewhere, though I thought it relevant to note because it was my initial purpose for setting up HTTPS.
Yep. Just specify the domains
yourdomain.comand*.yourdomain.comin the certbot request. Wildcard domains require the DNS-based challenge, but you've said you're already good there. You don't technically need the apex domain (yourdomain.com) but I always add it since I do have services running there.Any subdomains under the wildcard can use internal DNS or internal IPs on the public DNS (I do the former, but the latter works too).
I used to run an internal CA, and it wasn't too hard to setup a CA and distribute my root cert. Except on mobile devices. On Android it was easy, but there was a persistent warning that my network traffic could be intercepted (which is true when there's a custom root cert installed), but it since it was my cert, it got annoying seeing that all the time. Not sure if Apple devices can even do that, but regardless, it wasn't practical for friends who wanted to use my self-hosted services to install a custom cert when they were over.
Cool. Follow up question: Do I generate the cert once and distribute the same private key to all the servers I'm running? I'm guessing not, but does that mean I run the certbot command on every server?
I have a single Nginx setup which is the frontend for all my web services. So I only need to deploy it there (and to its HA partner). My renewal script just
scp's it to the secondary and does annginx -s reloadon both.I do generate separate certs/keys for my non-web servers, but there's only two of those.
You could also, if you wanted, just generate one cert and distribute it and its key to everything with a script or other automation tool (Ansible is what I used to use).