I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.
I don’t care about necessarily doing this the “right” way, as I won’t be making Jellyfin or any other service public, and will only be using it on my local network.
What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.
Thanks!
hperrin@lemmy.world 4 months ago
The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.
khorak@lemmy.dbzer0.com 4 months ago
This, letsencrypt with dns challenge, desec.io to manage the dns records github.com/go-acme/lego or traefik to manage the certificates and do the dns challenges for you.
TCB13@lemmy.world 4 months ago
Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
Findmysec@infosec.pub 4 months ago
All they say that if the private key is stolen then you’re screwed. Think about it, if an attacker can:
You have a much bigger problem my friend
scrubbles@poptalk.scrubbles.tech 4 months ago
Tried that once. It was not a fun route to go down. If let’s encrypt ever dies it anything fine, I’ll look into it again. Until then, let’s encrypt all the way
Findmysec@infosec.pub 4 months ago
why is creating one’s own CA the wrong way? I don’t want to have to pay cloudflare or porkbun to run HTTPS at home
hperrin@lemmy.world 4 months ago
Because you have to manage it on your network and all your own machines, and it doesn’t provide any value if your server is hacked. It actually makes you less safe if your server is hacked, because then you can consider every machine that has that CA as compromised. There’s no reason to use HTTPS if you’re running your own CA. Just use HTTP or use a socks proxy through ssh.
philpo@feddit.de 4 months ago
Yeah. Exactly how I do it. .casa domain to distinguish it from my other domains, DNS challenge and I am good.
Proxmox and OPN Sense work with it themselves, for everything else I use NPM on Proxmox. Couldn’t be more happy with that solution.