this post was submitted on 19 Jun 2023
26 points (100.0% liked)

Selfhosted

40415 readers
220 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
top 19 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago (2 children)

There's no question in my mind, letsencrypt is a major boon the the entire Internet.

[–] [email protected] 2 points 1 year ago (3 children)

Hard to believe you used to have to pay for a TLS certificate. I use Let's Encrypt with cert-manager on my kubernetes cluster and it still amazes me how SSL just happens. Even just using certbot makes the job extremely simple.

[–] [email protected] 2 points 1 year ago (1 children)

For cert-manager to work you need to have the ingress controller port (or I guess another port) exposed publicly? Or it supports DNS verification? I thought about doing this, but I am essentially having my cluster fully in a private network which I connect with wireguard from outside, but maybe I should reconsider?

I am keen to know a little bit more about your setup

[–] [email protected] 1 points 1 year ago

I am using cloudflare DNS, which cert-manager requires an API key to edit the DNS entries. Documentation on this can be found here. It seems to support a number of DNS APIs, you can view those here.

[–] [email protected] 1 points 1 year ago

There even are still some (shitty) webhosts that require payment for a TLS certificate, because they refuse to support letsencrypt.

[–] [email protected] 1 points 1 year ago

And what is worse-

It wasn't cheap either! Some of the SSL cert providers were charging hundreds/thousands for a certificate!

The less evil ones, were still charging 30$ or so.

[–] [email protected] 1 points 1 year ago

Every website I’ve ever set up has used letsencrypt, not sure where small business pages would be without it.

[–] [email protected] 2 points 1 year ago

I used Techno Tim's guide on how to do essentially the same thing with different tools: Cloudflare, Let's Encrypt, Traefik, and PiHole (for my DNS)
https://www.youtube.com/watch?v=liV3c9m_OX8
https://docs.technotim.live/posts/traefik-portainer-ssl/

[–] [email protected] 1 points 1 year ago (1 children)

Have thought of doing this before. I only read halfway through but enough to confirm what I expected - too much work!

[–] [email protected] 1 points 1 year ago

I can't open the link right now cause it seems to have gotten the hug of death, but if they didn't mention it check out Caddy. It handles the certificates all automatically. All you have to do is set up the DNS record and then point Caddy at your internal service and it handles the rest.

[–] [email protected] 1 points 1 year ago (3 children)

As a side note, how do people handle HTTPS with private networks (VPN or local) these days? I typically just stick to HTTP, but it would be nice to get rid of the warnings/lock (and I use HTTPS-only mode and firefox seems to require a fresh exception for every port).

[–] [email protected] 2 points 1 year ago

Doing what the OP (same result, just different software) or I posted and assigning certificates to secure your local services means you can avoid the HTTPS warning that major browsers will pop up on an unsecure (HTTP) connection. Instead of going to an internal dns name without a certificate or direct to the ip....you assign a wildcard certificate to a domain name you've setup on your local dns. You then access that service via the HTTPS protected Domain name, with no warning.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Self signed certificates and import CA onto all of my devices.

Or, public DNS with cloudflare that points to local IP, but you can't do this with a .local domain

[–] [email protected] 1 points 1 year ago

DNS challenge, that way you don't have to have anything open to the outside. It needs to be using a domain you own and have registered, though.

Here's a tutorial with (seemingly) all the DNS providers: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

[–] [email protected] 1 points 1 year ago (2 children)

There's also cloudflare tunnels

https://www.cloudflare.com/products/tunnel/

I use it for home assistant and it works great

[–] [email protected] 2 points 1 year ago

This is the answer! I'm scared to open up my home network.

[–] [email protected] 1 points 1 year ago

I also use this for my stuff. I don't have too open any inbound ports at all or worry about the fact that I'm on a dynamic IP, I just access things over my local IPs / hostnames as though I'm on my home LAN.

[–] [email protected] 0 points 1 year ago (1 children)

Is there a lets-encrypt alternative that doesn't require you to pay for a domain? I'd like to use a local domain like myservice.home rather than myservice.domain.com. I currently have Caddy auto generate certificates for my services but it's a pain as some devices hate the self-signed certificate.

[–] [email protected] -1 points 1 year ago

Self signed certificates. I have my services with a .local domain, created a 10year certificate. The only painful thing is that you have to import your CA into all of your devices

load more comments
view more: next ›