How are y’all managing internal network certificates?
At any point in time, I have between 2-10 services, often running on a network behind an nginx reverse proxy, with some variation in certificates, none ideal. Here’s what I’ve done in the past:
- setup a CLI CA using openssl
- somewhat works, but importing CAs into phones was a hassle.
- self sign single cert per service
- works, very kludgy, very easy
- expose http port only on lo interface for sensitive services (e.g. pihole admin), ssh local tunnel when needed
I see easy-RSA seems to be more user friendly these days, but haven’t tried it yet.
I’m tempted to try this setup for my local LAN facing (as exposed to tunnel only, such as pihole) services:
- Get letsencrypt cert for single public DNS domain (e.g. lan.mydomain.org)… not sure about wildcard cert.
- use letsencrypt on nginx reverse proxy, expose various services as suburls (e.g. lan.mydomain.org/nextcloud)
Curious what y’all do and if I’m missing anything basic.
I have no intention of exposing these outside my local network, and prefer as less client side changes as possible.
1·1 year ago- mod_md on an internet-facing server, copy certificates generated there to the internal hosts (+ split-horizon DNS to properly resolve internal hosts from my LAN). The process is automated through ansible
- Self-signed certs generated through ansible. I don’t find this kludgy, self-signed certs are actually very decent if you verify the fingerprint [1]. This is also how SSH works the first time you connect to a server (trust-on-first-use)
- I have contemplated setting up my own CA and ACME server - but as you said importing CA certs on devices can be a hassle