Hi, I was looking at private CAs since I don’t want to pay for a domain to use in my homelab.

What is everyone using for their private CA? I’ve been looking at plain OpenSSL with some automation scripts but would like more ideas. Also, if you have multiple reverse-proxy instances, how do you distribute domain-specific signed certificates to them? I’m not planning to use a wildcard, and would like to rotate certificates often.

Thanks!


Edit: thank you for everyone who commented! I would like to say that I recognise the technical difficulty in getting such a setup working compared to a simple certbot setup to Let’s Encrypt, but it’s a personal choice that I have made.

  • notfromhere@lemmy.one
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    My experience is it’s really a lot of work and with the prevalence of letsencrypt, there is not a lot of automated setups for this use case (at least that I have been able to find). It is kind of a pain in the ass to run your own CA, especially if you plan to not use wildcard and to rotate certs often. If you use tailscale, they offer https certs with a subdomain given to you:

    [server-name].[tailnet-name].ts.net

    That’s honestly what I’m moving towards.

    • ____@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      From where I sit, not a lot of reason to do it. It’s a bigger pain to deal with your own CA than to just use LE.

  • deepdive@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    1 year ago

    If you want to run your own pki with self-signed certificate in your homelab I really encourage you to read through this tutorial. There is a lot to process and read and it will take you some time to set everything up and understand every terminology but after that:

    • Own self-signed certificate with SAN wildcards (https://*.home.lab)
    • Certificate chain of trust
    • CSR with your own configuration
    • CRL and certificate revocation
    • X509 extensions

    After everything is in place, you can write your own script that revoks, write and generates your certificate, but that is another story !

    Put everything behind your reverse proxy of choice (traefik in my case) and serve all your docker services with your own self-signed wildcard certificates ! It’s complex but if you have spare time and are willing to learn something new, it’s worth the effort !

    Keep in mind to never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !

    edit

    Always take notes, to keep track of what you did and how you solved some issues and always make some visuals to have a better understanding on how things work !

    • NeoNachtwaechter@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !

      I’m curious, what’s the reason?

      • jdrch@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        In many architectures in which certificates are used, a client with a valid certificate is a trusted client, so a certificate falling into the wrong hands is problematic.

  • britishteadrinker@feddit.uk
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    I’d just buy a single domain, it’s like £5 a year and use a letsencrypt wildcard and have it auto renew via DNS challenges. Very easy. You can do what you’re doing with letsencrypt, but you’ll have to set up HTTP challenges for each sub domain, or DNS challenges for each sub domain. Obviously doable, but more work.

    Doing it without letsencrypt and just doing it privately? I dunno if I’d bother with that, firstly you’ll have to go through the hassle of making sure any browser and computer that connects to it has the root cert of the private CA, or you’ll get self signed errors, which is a faff. I’d honestly just pay the £5 or so a year, you’ll spend more time (and time is ultimately money) doing it without it.

    • LifeBandit666@feddit.uk
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      As someone who has done both I couldn’t agree more.

      I run Home Assistant and could just pay their subscription to get external access, which also supports development. But I’m a cheap Yorkshireman so I went with DuckDNS, Let’s Encrypt, Nginx and all that jazz for a long time. I’m just trying to hook my home up to Google so I can talk to it, I don’t wanna pay money!

      I had so many bloody glitches! I’d have to sign things in on a weekly basis, Google lost access all the damn time and it was just a nuisance.

      I have a rule for hobbies, I do it cheap for at least a few months to see if I lose interest. If I get a bit obsessive, it’s worth spending money on the hobby.

      So after a year or two of fucking around with Nginx and DuckDNS I found the cloudflare plugin, which worked for free for a while. It was night and day, everything remained connected!

      It ultimately bugged out one day and I decided to just bite the bullet and buy a domain. It’s a hobby I’ve invested enough time in that a few quid for a solution that just works is worth it.

      I think I dropped £35 for 5 years (I forget, it might be a decade) of owning my own .com domain name, which cloudflare manages for me.

      I now have to reconnect my Google home to my home assistant once every couple of months instead of every week.

      I haven’t missed the money, and I certainly haven’t missed the fucking tinkering to get it to work.

  • citizen@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    1 year ago

    I’m using step-ca. Its running on dedicated SBC. ACME certs created for each service renewing automatically daily. Honestly this setup wouldn’t be worth it if it wasn’t for daily cert rotation. I’m not using wildcard certs with own CA as it’s bad practice and defeats the purpose. There are bunch of different ACME renewal scripts/services. K8s cert manager handling kubernetes services automatically. Opensense has ACME cert plugin, nginx proxy manager is using external cert managed by script. I’m validating certs with DNS using TSIG. Step-ca have several integrations with different DNS services. I chose TSIG because it’s universal. There is pi-hole integration if you using that. Buying valid domain is not needed as long as you have internal DNS. You need to Install root Ca on every machine that will be connecting to services. If you have many VM’s configuration management is the way to go.

  • MTK@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 year ago

    Use something like no-ip, you can get a domain for free and renewing it every 30 days with a few clicks is much easier then managing a CA.

    The only downside is the TLD but if you don’t care to much about how your domain name looks it really is the best option.

    I use no-ip with letsencrypt, the LE bot does the certificate stuff for me, I use a single domain with different ports for each service and no-ip sends an email every 30 days to reconfirm the domain. Simple and easy.

  • iMeddles@infosec.pub
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I don’t at the moment, because I don’t have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.

    • deepdive@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Step CA is really nice if you want to learn more about how a real CA works. Had some fun playing with it but yeah it’s a bit overkill for home lab xD.

      You can achieve the same result with openssl with less complexity !

  • akash_rawal@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    I run a crude automation on top of OpenSSL CA. It checks for certain labels attached to kubernetes services. Based on that it creates kubernetes secrets containing the generated certificates.

  • vegetaaaaaaa@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I’m not using a private CA for my internal services, just plain self-signed certs. But if I had to, I would probably go as simple as possible in the first time: generate the CA cert using ansible, use ansible to automate signing of all my certs by the CA cert. The openssl_* modules make this easy enough. This is not very different from my current self-signed setup, the benefit is that I’d only have to trust a single CA certificate/bypass a single certificate warning, instead of getting a warning for every single certificate/domain.

    If I wanted to rotate certificates frequently, I’d look into setting up an ACME server like [1], and point mod_md or certbot to it, instead of the default letsencrypt endpoint.

    This still does not solve the problem of how to get your clients to trust your private CA. There are dozens of different mechanisms to get a certificate into the trust store. On Linux machines this is easy enough (add the CA cert to /usr/local/share/ca-certificates/*.crt, run update-ca-certificates), but other operating systems use different methods (ever tried adding a custom CA cert on Android? it’s painful. Do other OS even allow it?). Then some apps (Web browsers for example) use their own CA cert store, which is different from the OS… What about clients you don’t have admin access to? etc.

    So for simplicity’s sake, if I really wanted valid certs for my internal services, I’d use subdomains of an actual, purchased (more like renting…) domain name (e.g. service-name.internal.example.org), and get the certs from Let’s Encrypt (using DNS challenge, or HTTP challenge on a public-facing server and sync the certificates to the actual servers that needs them). It’s not ideal, but still better than the certificate racket system we had before Let’s Encrypt.

  • cron@feddit.de
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Why bother with certificate rotation in a homelab environment? You could issue certificates for three years and just call it a day.

    Personally, I have experience with Microsoft Certificate Services, which works pretty well out of the box and is also quite well supported. But you need a Windows Server for it.

  • [email protected]@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I run a private CA for client SSL.
    For traditional server SSL I just use let’s encrypt, although I already have the domain (less than $10 a year) for my public facing stuff, and just use a subdomain of that one for my homelab.

    I have a container with openssl for the private CA and generating user certs as well as renewing the let’s encrypt ones. I just use openssl without anything fancy.
    The output folder is only mounted rw in that one container
    I only ever mount the subfolders in read-only in other containers that need those certs.
    All these containers are running on the same server so I don’t even have to copy anything around, the containers don’t even need connectivity between them, it’s just mounted where needed.

  • johntash@eviltoast.org
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I do have Vault PKI set up but I don’t use it that much. It’s only if I want to do mTLS with something.

    For almost all of my actual services, I use a wildcard cert that covers something like *.int.example.com. I use acme.sh to create and renew the cert then have a python script that copies it to any vms or services that need it

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CA (SSL) Certificate Authority
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    NAS Network-Attached Storage
    SAN Storage Area Network
    SBC Single-Board Computer
    SSH Secure Shell for remote terminal access
    SSL Secure Sockets Layer, for transparent encryption
    SSO Single Sign-On
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    k8s Kubernetes container management package
    nginx Popular HTTP server

    [Thread #324 for this sub, first seen 1st Dec 2023, 23:25] [FAQ] [Full list] [Contact] [Source code]