I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.

I don’t care about necessarily doing this the “right” way, as I won’t be making Jellyfin or any other service public, and will only be using it on my local network.

What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.

Thanks!

  • @hperrin@lemmy.worldEnglish
    3811 months ago

    The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.

    • @TCB13@lemmy.worldEnglish
      1111 months ago

      Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.

      Running a CA is cool however, just be aware of the risks involved with running your own CA.

      You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

    • @philpo@feddit.deEnglish
      211 months ago

      Yeah. Exactly how I do it. .casa domain to distinguish it from my other domains, DNS challenge and I am good.

      Proxmox and OPN Sense work with it themselves, for everything else I use NPM on Proxmox. Couldn’t be more happy with that solution.

  • @doodledup@lemmy.worldEnglish
    1011 months ago

    Nginx Proxy Manager is awesome for managing certificates. I have all of my services running behind it.

    • qazEnglish
      211 months ago

      I also use this and can recommend it

    • @Tinkerer@lemmy.caEnglish
      111 months ago

      I do this too, have acls setup for my main LAN ips and all my internal hosts setup in opnsense in hosts override so they get redirected to NPM. Not sure if this is the correct way but it gives me all valid certificates. You could also do domain override and redirect just that domain to your NPM.

    • @jonno@discuss.tchncs.deEnglish
      511 months ago

      Or use caddy with a dns challenge. No need to open any ports and just use it completely locally without any annoying warning.

  • @cmnybo@discuss.tchncs.deEnglish
    411 months ago

    I just add my CA to my devices and use self signed certificates for stuff on my LAN. I don’t want to go through all the trouble of using lets encrypt for something that’s not accessible from the internet.

    • @TCB13@lemmy.worldEnglish
      411 months ago

      Just be aware of the risks involved with running your own CA.

      You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

      For what’s worth, LetsEncrypt with DNS-01 challenge is way easier to deploy and maintain in your internal hosts than adding a CA and dealing with all the devices that might not like custom CAs. Also more secure.

    • @catloaf@lemm.eeEnglish
      311 months ago

      This is the most permanent solution. You can generate valid and trusted certs for as long as you want. Let’s Encrypt is great, but you also have to configure the automation to keep renewing the certs every 30 days.

    • @postnataldrip@lemmy.worldEnglish
      111 months ago

      If you mean signed by your CA then this is me too, albeit with an intermediate CA in the middle (honestly pointless in my case, but old habits etc).

      I don’t host anything externally and trusting the CA certs internally is easy as Ionly need to do it on a handful of devices. This + reverse proxy keeps things tidy and uncomplicated.