this post was submitted on 07 Jul 2024
78 points (98.8% liked)

Selfhosted

40183 readers
529 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I want my self hosted things to use https. For example, I have Jellyfin installed via docker, and I want it to use https instead of http.

I don't care about necessarily doing this the "right" way, as I won't be making Jellyfin or any other service public, and will only be using it on my local network.

What is the easiest way to do this? Assume everything I host is in docker. Also a link to a tutorial would be great.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 55 points 4 months ago (10 children)

The easiest way to do it is to do it the right way with LetsEncrypt. The hardest way to do it is the wrong way, where you create your own CA, import it as a root CA into all of the machines you’ll be accessing your servers from, then create and sign your own certs using your CA to use in your servers.

[–] [email protected] 14 points 4 months ago (2 children)

Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.

Running a CA is cool however, just be aware of the risks involved with running your own CA.

You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

Running a CA is cool however, just be aware of the risks involved with running your own CA.

All they say that if the private key is stolen then you're screwed. Think about it, if an attacker can:

  1. Get into your network.
  2. Presumably bypass key-based ssh/container runtime protections
  3. Access pod/VM which is running the CA
  4. Bypass default MAC settings (Apparmor on debian, SELinux on RHEL)
  5. Steal private key without you knowing from your logs

You have a much bigger problem my friend

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

While I agree with you, an attacker may not need to go to such lengths in order to get the PK. The admin might misplace it or have a backup somewhere in plain text. People aren't also prone to look to logs and it might be too late when they actually noticed that the CA was compromised.

Managing an entire CA safely and deploying certificates > complex; Getting let's encrypt certificates using DNS challenges > easy;

load more comments (7 replies)