this post was submitted on 07 Jul 2024
78 points (98.8% liked)

Selfhosted

40347 readers
329 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.

I don't care about necessarily doing this the "right" way, as I won't be making Jellyfin or any other service public, and will only be using it on my local network.

What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] cmnybo@discuss.tchncs.de 7 points 4 months ago (4 children)

I just add my CA to my devices and use self signed certificates for stuff on my LAN. I don't want to go through all the trouble of using lets encrypt for something that's not accessible from the internet.

[–] TCB13@lemmy.world 5 points 4 months ago

Just be aware of the risks involved with running your own CA.

You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

For what's worth, LetsEncrypt with DNS-01 challenge is way easier to deploy and maintain in your internal hosts than adding a CA and dealing with all the devices that might not like custom CAs. Also more secure.

[–] catloaf@lemm.ee 5 points 4 months ago

This is the most permanent solution. You can generate valid and trusted certs for as long as you want. Let's Encrypt is great, but you also have to configure the automation to keep renewing the certs every 30 days.

[–] postnataldrip@lemmy.world 2 points 4 months ago

If you mean signed by your CA then this is me too, albeit with an intermediate CA in the middle (honestly pointless in my case, but old habits etc).

I don't host anything externally and trusting the CA certs internally is easy as Ionly need to do it on a handful of devices. This + reverse proxy keeps things tidy and uncomplicated.

[–] azl@lemmy.sdf.org 1 points 4 months ago

I've been doing it this way for many years, before LetsEncrypt was around. Maybe some day I will switch so I can become dependent on another third party (though I do use LetsEncrypt for public-facing services).

Yes, telling your computer to trust a certificate chain that you are responsible for securing may significantly increase your attack surface. It's easy to forget about that root cert (I actually push mine via GPO).