So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

  • phi@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    i have a similar setup at home. the way i did it was using certbot and dns verification. i pointed my domain’s NSs to digitalocean’s NS and then i downloaded the certbot-digitalocean-dns plugin, created an API key for DO and stored it somewhere and then certbot took care of everything else. nothing is exposed to the internet

    • pacocascadero@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      This is the way for services not exposed to the internet. Thera are multiple DNS providers supported (I use Cloudflare personally). At the other hand if the service is published to the internet HTTP validation is very simple to configure as well. I have stopped using Nginx as a reverse proxy and use Traefik for conteinerised services or Caddy for the rest. Both proxies support ACME protocol out of the box.

    • root@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Very nice! And you don’t have to worry about adding the cert to each device that wants to use the service, right? Since this isn’t a self hosted CA.

        • root@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ooo, very nice! If I use that script, can I generate certificates for a made up domain within my network (eg *.homelab), or do I need to use a domain I actually own?

      • phi@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        exactly. that was the main thing i wanted to avoid. i also have nginx-proxy-manager in front of all my apps which also automates some things (like requesting new certs or renewing them when the time comes)

    • root@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I have heard of this, but I think if you self-host a CA, you have to add the cert to every device that wants access to the service right? For example, I’d have to add it to my TV if my TV connects to Jellyfin, to my laptop if my laptop needs access to Home Assistant, etc. I’m not sure my family would like that XD

  • Aurailious@beehaw.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    If you use Let’s Encrypt, or any public CA, all of your domains and certificates will be public. You can use a wildcard to avoid revealing subdomains. There is a website that you can use to search what is available, but I don’t remember what it is.

    I suspect there aren’t any serious risks to having that information revealed. The only real reason would be privacy against which services you are using on that domain.

    • phi@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      yeah true but if the DNS records aren’t actually pointing anywhere then there’s no real threat no? because everything stays in the internal network

      • Aurailious@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        You have to use a public DNS registrar, and that DNS record has to point to your public IP if you want to automate to a public CA. All of my subdomains are in my local DNS server though and I use a wilcard for them. So no one externally can go to jellyfin.mydomain.com, but they could go to www.mydomain.com to my IP, but that doesn’t forward on my router either.

        But also only automated scrappers are going to look for my domain too and they are going to be blocked in the same way automated scrappers for residential IPs are blocked. I could be wrong, but I don’t think there are ways to bypass security with knowing the domain name tied to an IP.