"Site not secure" | Self-signed Certificate?
-
@scottalanmiller said in "Site not secure" | Self-signed Certificate?:
@jaredbusch said in "Site not secure" | Self-signed Certificate?:
@pete-s said in "Site not secure" | Self-signed Certificate?:
@scottalanmiller said in "Site not secure" | Self-signed Certificate?:
@pete-s said in "Site not secure" | Self-signed Certificate?:
You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs
We get them. It's just more effort.
Please elaborate Scott!
Yes, please.
Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.
That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.
-
@dbeato Stated exactly what I was thinking.
Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.
-
@jaredbusch said in "Site not secure" | Self-signed Certificate?:
@scottalanmiller said in "Site not secure" | Self-signed Certificate?:
@jaredbusch said in "Site not secure" | Self-signed Certificate?:
@pete-s said in "Site not secure" | Self-signed Certificate?:
@scottalanmiller said in "Site not secure" | Self-signed Certificate?:
@pete-s said in "Site not secure" | Self-signed Certificate?:
You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs
We get them. It's just more effort.
Please elaborate Scott!
Yes, please.
Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.
That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.
In this particular case, we don't actually do that. It's 100% public DNS because the servers are actually public, just don't act that way to LE because they don't run web servers. So public FQDN that already exists and is used works properly. But since port 80 isn't open on the network, and we can't have a web server anyway, we have to act like it is internal.
But if you are going to do internal certs, then as certs require DNS, you have to do all that work anyway. You just have to make sure it is an FQDN so that public certs can reference it.
-
@pete-s said in "Site not secure" | Self-signed Certificate?:
I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.
I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.
-
@mr-jones said in "Site not secure" | Self-signed Certificate?:
@pete-s said in "Site not secure" | Self-signed Certificate?:
I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.
I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.
Awesome! Yeah, I bet it took a bit of research to get it up and running.