ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "Site not secure" | Self-signed Certificate?

    Scheduled Pinned Locked Moved IT Discussion
    25 Posts 9 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      Let's Encrypt supports free wildcard certs - so that could be an option for internal resources that use the FQDN but are only internal - updating the cert every 90 days or less is the bigger pain - though can be scripted.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @1337
        last edited by

        @pete-s said in "Site not secure" | Self-signed Certificate?:

        You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

        We get them. It's just more effort.

        1 1 Reply Last reply Reply Quote 1
        • 1
          1337 @scottalanmiller
          last edited by

          @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

          @pete-s said in "Site not secure" | Self-signed Certificate?:

          You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

          We get them. It's just more effort.

          Please elaborate Scott!

          JaredBuschJ 1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @1337
            last edited by

            @pete-s said in "Site not secure" | Self-signed Certificate?:

            @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

            @pete-s said in "Site not secure" | Self-signed Certificate?:

            You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

            We get them. It's just more effort.

            Please elaborate Scott!

            Yes, please.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @jaredbusch said in "Site not secure" | Self-signed Certificate?:

              @pete-s said in "Site not secure" | Self-signed Certificate?:

              @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

              @pete-s said in "Site not secure" | Self-signed Certificate?:

              You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

              We get them. It's just more effort.

              Please elaborate Scott!

              Yes, please.

              Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.

              JaredBuschJ 1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller
                last edited by

                Here is a writeup that someone did..

                https://gock.net/blog/2020/using-lets-encrypt-with-internal-web-server/

                In this case they are using it for internal web servers. The reason that I normally use it is that I use LetsEncrypt for things that aren't web servers and so act the same as isolated LAN devices.

                dbeatoD 1 Reply Last reply Reply Quote 1
                • Mr. JonesM
                  Mr. Jones @scottalanmiller
                  last edited by

                  @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                  So the answer is... it depends. Do you control the computer in question? If so, you can normally add the certificate to it and it will trust it.

                  But if you don't want to have to install the cert for every computer that will use it, then sadly only a CA signed cert (which are free, though) will work as you need to have the browser trust it and that is the only mechanism.

                  Okay, so if what you are saying is true, then I'm doing it incorrectly.

                  I was using :8443 btw, I don't know why I used :8080 as an example.

                  What are the steps here?

                  Do I create a .p12, split out the private .key and store that on the server, then split out the public .pem and push that to all domain computers into the Trusted Root Certificates directory via Group Policy?

                  Or do you have to have a .crt in the mix and that's why this approach would be such a pita.

                  1 Reply Last reply Reply Quote 0
                  • dbeatoD
                    dbeato @scottalanmiller
                    last edited by

                    @scottalanmiller I am confused, if you certbot or any other Lets Encrypt client, it can use DNS verification automatically without needing any server enabled externally. That's what I have been doing with CloudFlare and their API, are you doing something different?
                    I even apply it to current web facing servers so I don't need to open port 80 as well.

                    scottalanmillerS D 3 Replies Last reply Reply Quote 3
                    • scottalanmillerS
                      scottalanmiller @dbeato
                      last edited by

                      @dbeato said in "Site not secure" | Self-signed Certificate?:

                      I am confused, if you certbot or any other Lets Encrypt client, it can use DNS verification automatically without needing any server enabled externally.

                      No, not all of them. They have ones that require manual intervention. The ones that handle internal servers.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @dbeato
                        last edited by

                        @dbeato said in "Site not secure" | Self-signed Certificate?:

                        That's what I have been doing with CloudFlare and their API, are you doing something different?
                        I even apply it to current web facing servers so I don't need to open port 80 as well.

                        We don't always have CloudFlare. If we control the server and not the DNS hosting, it can be complicated.

                        dafyreD 1 Reply Last reply Reply Quote 0
                        • dafyreD
                          dafyre @scottalanmiller
                          last edited by dafyre

                          @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                          @dbeato said in "Site not secure" | Self-signed Certificate?:

                          That's what I have been doing with CloudFlare and their API, are you doing something different?
                          I even apply it to current web facing servers so I don't need to open port 80 as well.

                          We don't always have CloudFlare. If we control the server and not the DNS hosting, it can be complicated.

                          True. But even Godaddy has APIs for this now, lol. If SlowDaddy can do it, I'd suspect that some of the others do as well.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @dafyre
                            last edited by

                            @dafyre said in "Site not secure" | Self-signed Certificate?:

                            @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                            @dbeato said in "Site not secure" | Self-signed Certificate?:

                            That's what I have been doing with CloudFlare and their API, are you doing something different?
                            I even apply it to current web facing servers so I don't need to open port 80 as well.

                            We don't always have CloudFlare. If we control the server and not the DNS hosting, it can be complicated.

                            True. But even Godaddy has APIs for this now, lol. If SlowDaddy can do it, I'd suspect that some of the others do as well.

                            That "someone" has API access doesn't matter if you don't have any access to the provider. Sometimes you only have the server.

                            dbeatoD 1 Reply Last reply Reply Quote 0
                            • dbeatoD
                              dbeato @scottalanmiller
                              last edited by

                              @scottalanmiller Okay, but lets see can we request API access to any of them yes. But doing manual work its just not great. Are you saying that you control just a subset of servers and the rest is on their own and the customer cannot give you DNS access even as a request? or is it trying not to get involved with the other vendors or DNS hosting provider?

                              scottalanmillerS 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @dbeato
                                last edited by

                                @dbeato said in "Site not secure" | Self-signed Certificate?:

                                @scottalanmiller Okay, but lets see can we request API access to any of them yes. But doing manual work its just not great. Are you saying that you control just a subset of servers and the rest is on their own and the customer cannot give you DNS access even as a request? or is it trying not to get involved with the other vendors or DNS hosting provider?

                                Right, we manage X and not Y and cannot get the API because we have to request through a human for a change. If the ONLY thing we can touch is the server, and the server cannot be exposed over port 80, we need to do it manually.

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                                  @jaredbusch said in "Site not secure" | Self-signed Certificate?:

                                  @pete-s said in "Site not secure" | Self-signed Certificate?:

                                  @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                                  @pete-s said in "Site not secure" | Self-signed Certificate?:

                                  You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

                                  We get them. It's just more effort.

                                  Please elaborate Scott!

                                  Yes, please.

                                  Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.

                                  That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 1
                                  • D
                                    David_CSG @dbeato
                                    last edited by

                                    @dbeato Stated exactly what I was thinking.
                                    Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).

                                    But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
                                    In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.

                                    All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.

                                    1 Reply Last reply Reply Quote 2
                                    • scottalanmillerS
                                      scottalanmiller @JaredBusch
                                      last edited by

                                      @jaredbusch said in "Site not secure" | Self-signed Certificate?:

                                      @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                                      @jaredbusch said in "Site not secure" | Self-signed Certificate?:

                                      @pete-s said in "Site not secure" | Self-signed Certificate?:

                                      @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

                                      @pete-s said in "Site not secure" | Self-signed Certificate?:

                                      You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

                                      We get them. It's just more effort.

                                      Please elaborate Scott!

                                      Yes, please.

                                      Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.

                                      That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.

                                      In this particular case, we don't actually do that. It's 100% public DNS because the servers are actually public, just don't act that way to LE because they don't run web servers. So public FQDN that already exists and is used works properly. But since port 80 isn't open on the network, and we can't have a web server anyway, we have to act like it is internal.

                                      But if you are going to do internal certs, then as certs require DNS, you have to do all that work anyway. You just have to make sure it is an FQDN so that public certs can reference it.

                                      1 Reply Last reply Reply Quote 0
                                      • Mr. JonesM
                                        Mr. Jones @1337
                                        last edited by

                                        @pete-s said in "Site not secure" | Self-signed Certificate?:

                                        I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

                                        I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

                                        1 1 Reply Last reply Reply Quote 2
                                        • 1
                                          1337 @Mr. Jones
                                          last edited by

                                          @mr-jones said in "Site not secure" | Self-signed Certificate?:

                                          @pete-s said in "Site not secure" | Self-signed Certificate?:

                                          I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

                                          I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

                                          Awesome! Yeah, I bet it took a bit of research to get it up and running.

                                          1 Reply Last reply Reply Quote 0
                                          • 1
                                          • 2
                                          • 1 / 2
                                          • First post
                                            Last post