ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "Site not secure" | Self-signed Certificate?

    IT Discussion
    9
    25
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch @scottalanmiller
      last edited by

      @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

      @jaredbusch said in "Site not secure" | Self-signed Certificate?:

      @pete-s said in "Site not secure" | Self-signed Certificate?:

      @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

      @pete-s said in "Site not secure" | Self-signed Certificate?:

      You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

      We get them. It's just more effort.

      Please elaborate Scott!

      Yes, please.

      Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.

      That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.

      scottalanmillerS 1 Reply Last reply Reply Quote 1
      • D
        David_CSG @dbeato
        last edited by

        @dbeato Stated exactly what I was thinking.
        Note: this not meant to disregard (that would be silly & pointless) the specifics that Scott has mentioned. In other words, one size (or solution) does not necessarily fit all (scenarios).

        But I use Caddy in a Dockerized setup for a server that isn’t publicly available (not wide open) as it doesn’t need to be nor do I want it to be).
        In my case I use dnsmadeeasy and their API. Does require DNS (records) access/ability to manage some records.

        All of which adds “complexity” (not much, but some), enough that I wouldn’t recommend it if the tech involved was new for someone (if so, home lab it first) for anything in production.

        1 Reply Last reply Reply Quote 2
        • scottalanmillerS
          scottalanmiller @JaredBusch
          last edited by

          @jaredbusch said in "Site not secure" | Self-signed Certificate?:

          @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

          @jaredbusch said in "Site not secure" | Self-signed Certificate?:

          @pete-s said in "Site not secure" | Self-signed Certificate?:

          @scottalanmiller said in "Site not secure" | Self-signed Certificate?:

          @pete-s said in "Site not secure" | Self-signed Certificate?:

          You can't get or buy publicly trusted SLL certificates for any server on your LAN, only for public FQDNs/IPs

          We get them. It's just more effort.

          Please elaborate Scott!

          Yes, please.

          Sure, you just have to do it via the DNS TXT process. The server has to be able to reach out, it can't be totally isolated from the Internet (unless you want to move the files around manually) but it verifies that you own the name without needed to provide a file. We do this for some clients all of the time. It's a pain and cannot be automated, so you need a human to get involved from time to time to make it work. But it works.

          That is more than getting a cert for everything on your LAN. That is also giving everything your on LAN a valid FQDN, and thus also valid internal DNS records, or NAT reflection etc, for said traffic.

          In this particular case, we don't actually do that. It's 100% public DNS because the servers are actually public, just don't act that way to LE because they don't run web servers. So public FQDN that already exists and is used works properly. But since port 80 isn't open on the network, and we can't have a web server anyway, we have to act like it is internal.

          But if you are going to do internal certs, then as certs require DNS, you have to do all that work anyway. You just have to make sure it is an FQDN so that public certs can reference it.

          1 Reply Last reply Reply Quote 0
          • Mr. JonesM
            Mr. Jones @1337
            last edited by

            @pete-s said in "Site not secure" | Self-signed Certificate?:

            I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

            I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

            1 1 Reply Last reply Reply Quote 2
            • 1
              1337 @Mr. Jones
              last edited by

              @mr-jones said in "Site not secure" | Self-signed Certificate?:

              @pete-s said in "Site not secure" | Self-signed Certificate?:

              I'm not sure how you set up CA on Windows AD but I believe you can. Don't know if you can use that for non-Windows appliances.

              I ended up using this approach. As usual, it took a bit of reading and research along with poking at the server, but I was able to use this approach.

              Awesome! Yeah, I bet it took a bit of research to get it up and running.

              1 Reply Last reply Reply Quote 0
              • 1
              • 2
              • 2 / 2
              • First post
                Last post