So I’ve had servers on my LAN for a good few years now, as a million other people have said before me, I’d like to remove the security warning when I initially connecting to it.
I’ve gone through tutorials on YT many times and I either get stuck or just lose interest and start feeling it’s not worth the effort. I have a test TrueNAS Core install, I even saw it might be easier to do this with Scale, so I upgraded…but still got stuck If anyone could give me pointers as to the easiest way to do it, that’ll be superb
The tools I have already:
A Ubiquiti USG (the smallest cheapest one)
A Pi-Hole running on a Raspberry Pi 4 B (active and working very well).
A Ubiquiti Cloud Key G2 Plus
Managed Netgear PoE Switches
Plenty of spare domains and access to them.
A Cloudflare account (I use for my business websites).
A spare TrueNAS machine (Can be Core or Scale, currently Core).
A spare Raspberry Pi 4 B (currently not being used).
Any pointers would be great, sorry for bothering you!
This is the warning for self-signed SSL certificates, right? You still access via https:// and want to get rid of the warning? Are your services in docker containers or VMs?
It’s certainly possible but I think you need to get a domain name for your server to issue certificates (letsencrypt is probably fine for this use case). It may also be possible to get around this by setting up a local certificate authority but that sounded like a lot of work to me (I think you need to supply certs to all clients then?).
The thing is… if you only access over your local network it’s not really necessary to use anything more than self-signed unless you can’t trust some other users on the network, as I understand it. Maybe someone else will chime in. I’m kind of curious what the worst case security implications of using these self signed certificates are though, so I suppose I’ll be watching this thread. I figure it’s fine for me since nothing is exposed to the internet but I do use Tailscale…
Personally I would try to run a reverse proxy to all the services and just set up letsencrypt once on the reverse proxy (there are docker container images on the hub for this purpose specifically I believe). Something like Traefik claims to do this with little or zero configuration. Else Caddy or Nginx would work too. This would require turning off https for all the services you’re supplying though. Edit: looks like this requires supplying certs for all your services which may or may not be possible in some cases… Securing HTTP Traffic to Upstream Servers | NGINX Documentation would probably break when you update containers, maybe not VM.
you timing is so off man… Ars is gona do an article on that kind of thing soon-ish…
part one (not the part you need…)
not sure about how to do the CA server that you need… but for sure is possible…
I just mention it, because the guy will cover what you need in the next article, and I knyl run across this one the other day
But wait, there’s more!
This piece is intended to be part one of two. If the idea of having one’s own bind and dhcpd servers sounds a little silly (and it’s not—it’s awesome), it’s actually a prerequisite for an additional future project with serious practical implications: our own fully functioning local ACME-enabled certificate authority capable of answering DNS-01 challenges so we can issue our own certificates to LAN services and not have to deal with TLS warnings like plebes.
There’s no technical reason you can’t use Let’s Encrypt! on your internal LAN, they may have terms of service saying you can’t, but I’d doubt they would validate it. If you use the DNS validation option, you don’t even need to expose anything to the Internet.
TrueNAS, in particular, has a form to get you signed certs
On Core they only support route53 dns, on scale they support rout53 and cloudflare. You do NOT expose anything to the internet with this method - it uses a dns challenge.
I would start there, since you have a domain with cloudflare.
On a tangent, I do get lets encrypt certs for all my internal servers because I find that self signed errors get in the way for some user interface. Sure, its secure enough on my lan, but the warning is annoying and/or breaks stuff.
That warning comes up because the chain of trust is broken. You can either:
Issue your own root certificate (easier than it sounds like, really) - this then requires said root certificate is manually installed on every device trying to access the device. Here is the basic rundown:
Register your own domain and buy a certificate for said domain. This is pretty easy but will cost you something like $10-$30 a year per certificate. It is possible to set this domain up so it can only be accessed from the inside of the network, while trying to access it from the outside will redirect you to a simple static website.
Yes that’s right and right! But services aren’t in docker containers, these are just file servers.
If I already have a spare domain, can I use that instead of going the letsencrypt route? Also, I have an unlimited SSL package if that’s helpful to know.
Ahh, well that is the case, so may be I shouldn’t worry about it. I do have non-tech literates using the network (yes, worse than me), but I do eventually plan to divide it at some point using VLAN’s…once I figure out how to do that!
I use that too, it’s great!
So would that mean I have to run a machine just for this purpose, or could I create a VM on a file server and have it do part of the job of giving valid SSL’s? If I had at least one machine doing VM duties, it would be perfectly fine, but alas I don’t.
Thank you for this, perhaps I’ll give it a go and at least try the letsencrypt route…pity I can’t use the domains that I have hanging around doing nothing, hey ho!
I’ll also upgrade to Scale again, I find it a bit weird compared with Core…but then I’m most familiar with Core so I am going to be biased.
I might look into that. All in all, it looks like whatever I do, I must have a machine that’s dedicated to this, so a nice superlow power unit will be ideal. Unless I can do it on the spare Raspberry Pi I have?
Unless you need to access the webui from the internet I wouldn’t worry about it. But if it really bothers you then creating a self signed CA and installing that on your devices is going to be the easiest solution.
would you be able to create certs, and upload them to services like plex and pihole and such that use self-sign certs?
@wertigon 's linked site, might be a little more flexible for issuing certs that one creates oneself, for apps and internal sites that are spread throughout the lan?