this post was submitted on 01 Dec 2023
62 points (100.0% liked)

Selfhosted

46170 readers
396 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
62
Do you run a private CA? Could you tell me about your certificate setup if you do? (lemmy.world)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
52 comments fedilink hide all child comments
 

Hi, I was looking at private CAs since I don't want to pay for a domain to use in my homelab.

What is everyone using for their private CA? I've been looking at plain OpenSSL with some automation scripts but would like more ideas. Also, if you have multiple reverse-proxy instances, how do you distribute domain-specific signed certificates to them? I'm not planning to use a wildcard, and would like to rotate certificates often.

Thanks!

Edit: thank you for everyone who commented! I would like to say that I recognise the technical difficulty in getting such a setup working compared to a simple certbot setup to Let's Encrypt, but it's a personal choice that I have made.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 1 year ago* (last edited 1 year ago) (6 children)

If you want to run your own pki with self-signed certificate in your homelab I really encourage you to read through this tutorial. There is a lot to process and read and it will take you some time to set everything up and understand every terminology but after that:

  • Own self-signed certificate with SAN wildcards (https://*.home.lab)
  • Certificate chain of trust
  • CSR with your own configuration
  • CRL and certificate revocation
  • X509 extensions

After everything is in place, you can write your own script that revoks, write and generates your certificate, but that is another story !

Put everything behind your reverse proxy of choice (traefik in my case) and serve all your docker services with your own self-signed wildcard certificates ! It's complex but if you have spare time and are willing to learn something new, it's worth the effort !

Keep in mind to never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !

edit

Always take notes, to keep track of what you did and how you solved some issues and always make some visuals to have a better understanding on how things work !

[–] [email protected] 4 points 1 year ago (1 children)

never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !

I'm curious, what's the reason?

[–] [email protected] 1 points 1 year ago

In many architectures in which certificates are used, a client with a valid certificate is a trusted client, so a certificate falling into the wrong hands is problematic.

load more comments (5 replies)
[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

I’m using step-ca. Its running on dedicated SBC. ACME certs created for each service renewing automatically daily. Honestly this setup wouldn’t be worth it if it wasn’t for daily cert rotation. I’m not using wildcard certs with own CA as it’s bad practice and defeats the purpose. There are bunch of different ACME renewal scripts/services. K8s cert manager handling kubernetes services automatically. Opensense has ACME cert plugin, nginx proxy manager is using external cert managed by script. I’m validating certs with DNS using TSIG. Step-ca have several integrations with different DNS services. I chose TSIG because it’s universal. There is pi-hole integration if you using that. Buying valid domain is not needed as long as you have internal DNS. You need to Install root Ca on every machine that will be connecting to services. If you have many VM’s configuration management is the way to go.

[–] [email protected] 1 points 1 year ago

Thank you, and yes, I agree. Frequent certificate cycling and revocations is one of best parts of having a private CA, along with particular certificates for particular domains. With that said: Could you tell me more about TSIG? This is the first time I have come across it, and 2 seconds of reading tells me that it is used to validate automated updates and zone transfers for the DNS server, and also to validate domains? I didn't think of this avenue before, but it seems very interesting to implement.

And yes, I will have an internal DNS, and I will be inserting the Root CA certificate on all of my client devices.

[–] [email protected] 8 points 1 year ago* (last edited 1 year ago) (1 children)

Use something like no-ip, you can get a domain for free and renewing it every 30 days with a few clicks is much easier then managing a CA.

The only downside is the TLD but if you don't care to much about how your domain name looks it really is the best option.

I use no-ip with letsencrypt, the LE bot does the certificate stuff for me, I use a single domain with different ports for each service and no-ip sends an email every 30 days to reconfirm the domain. Simple and easy.

[–] [email protected] 2 points 1 year ago

I would not like to use a public domain for my internal traffic, even if the traffic is not routed outside. This is more of a personal choice than me looking for the easiest technical solution. I do own a domain, but I'll keep that specifically for elements facing the internet.

Thanks!

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not using a private CA for my internal services, just plain self-signed certs. But if I had to, I would probably go as simple as possible in the first time: generate the CA cert using ansible, use ansible to automate signing of all my certs by the CA cert. The openssl_* modules make this easy enough. This is not very different from my current self-signed setup, the benefit is that I'd only have to trust a single CA certificate/bypass a single certificate warning, instead of getting a warning for every single certificate/domain.

If I wanted to rotate certificates frequently, I'd look into setting up an ACME server like [1], and point mod_md or certbot to it, instead of the default letsencrypt endpoint.

This still does not solve the problem of how to get your clients to trust your private CA. There are dozens of different mechanisms to get a certificate into the trust store. On Linux machines this is easy enough (add the CA cert to /usr/local/share/ca-certificates/*.crt, run update-ca-certificates), but other operating systems use different methods (ever tried adding a custom CA cert on Android? it's painful. Do other OS even allow it?). Then some apps (Web browsers for example) use their own CA cert store, which is different from the OS... What about clients you don't have admin access to? etc.

So for simplicity's sake, if I really wanted valid certs for my internal services, I'd use subdomains of an actual, purchased (more like renting...) domain name (e.g. service-name.internal.example.org), and get the certs from Let's Encrypt (using DNS challenge, or HTTP challenge on a public-facing server and sync the certificates to the actual servers that needs them). It's not ideal, but still better than the certificate racket system we had before Let's Encrypt.

[–] [email protected] 1 points 1 year ago (1 children)

Finally got around to replying to the comments I got haha!

Thanks for the explanation. I'm curious why you're not running your own CA since that seems to be a more seamless process than having to deal with ugly SSL errors for every website, every time you rotate the certificate.

I'm wondering about different the process is between running an ACME server and another daemon/process like certbot to pull certificates from it, vs writing an ansible playbook/simple shell script to automate the rotation of server certificates.

About my clients: I am likely never going to purchase Apple products since I recognise how much they lock down their device. Unfortunately, there are not that many android devices in the US with custom ROM support. With that said, I do plan to root all of my Android devices when KernelSU matures (in about a year, I think) - I'm currently reading up on how to insert a root and client certificate into Android's certificate store, but I think it's definitely possible. Other than that, I might have a throwaway Windows VM sometimes, which is doable, alongside a Void linux box with a Debian chroot. All in all, fairly doable, just a bit of work to automate.

Thanks!

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

I’m curious why you’re not running your own CA since that seems to be a more seamless process than having to deal with ugly SSL errors for every website

It's not, it's another service to deploy, maintain, monitor, backup and troubleshoot. The ugly SSL warning only appears once, I check the certificate fingerprint and bypass the warning, from there it's smooth sailing. The certificate is pinned, so if it ever changes I would get a new warning and would know something shady is going on.

every time you rotate the certificate.

I don't really rotate these certs, they have a validity of several years.

I’m wondering about different the process is between running an ACME server and another daemon/process like certbot to pull certificates from it, vs writing an ansible playbook/simple shell script to automate the rotation of server certificates.

  • Generating self-signed certs is ~40 lines of clean ansible [1], 2 lines of apache config, and one click to get through the self-signed cert warning, once.
  • Obtaining Let's Encrypt certs is 2 lines of apache config with mod_md and the HTTP-01 challenge. But it requires a domain name in the public DNS, and port forwarding.
  • Obtaining certs from a custom ACME CA is 3 lines of apache config (the extra line is to change the ACME endpoint) and a 100k LOC ACME server daemon running somewhere with its own bugs, documentation, deployment and upgrade management tooling, config quirks... and you still have to manage certs for this service. It may be worth it if you have a lot of clients who don't want to see the self-signed cert warning and/or worry about their private keys being compromised and thus needing to rotate the certs frequently (you still need to protect the CA key...)

likely never going to purchase Apple products since I recognise how much they lock down their device

hear hear

there are not that many android devices in the US with custom ROM support. With that said, I do plan to root all of my Android devices when KernelSU mature

I bought a cheap refurbished Samsung, installed LineageOS on it (Europe, but I don't see why it wouldn't work in the US?), without root - I don't really need root, it's a security liability, and I think the last time I tried Magisk it didn't work. The only downside is that I have to manually tap Update for F-Droid updates to run (fully unattended requires root).

I’m currently reading up on how to insert a root and client certificate into Android’s certificate store, but I think it’s definitely possible.

I did it on that LineageOS phone, using adb push, can't remember how exactly (did it require root? I don't know). It works but you get a permanent warning in your notifications telling you that The network might be monitored or something. But some apps would still ignore it.

[–] [email protected] 2 points 1 year ago

Europe

Samsung devices in the US have their bootloaders locked, regardless of whether you bought it from a carrier or not. I'll be looking at other devices, and even then, custom ROM support has all but stopped for everything but the pixel. Living in Europe is great for this, for you have the FP5 available.

But some apps would still ignore it.

Apps with their own certificate store like Firefox? Yeah, I'm thinking about how I can deal with that. Is there a FOSS Android MDM solution that I can use?

[–] [email protected] 6 points 1 year ago (1 children)

Written in go, very small and portable: https://github.com/FiloSottile/mkcert. There's also step-ca, bigger and uses ACME to deploy certificates, never used it tho.

Just be awake of the risks involved with running your own CA.

[–] [email protected] 2 points 1 year ago (1 children)

Thanks, could you tell me why one would run this over plain OpenSSL with automation? Also, what risks would I run running a private CA? I'd love to know!

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

could you tell me why one would run this over plain OpenSSL with automation?

Those projects essentially are the automation...

what risks would I run running a private CA? I’d love to know!

https://security.stackexchange.com/questions/205174/what-are-the-risks-of-installing-a-ca-on-the-same-machine-as-openvpn-server

More or less you're adding a root certificate to your systems that will effectively accept any certificate issues with your CA's key. If your PK gets stolen somehow and you don't notice it, someone might be issuing certificates that are valid for those machines. Also real CA's also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

[–] [email protected] 1 points 1 year ago (1 children)

I do realise the security problem in keeping the private key safe. I plan to use a VM with encrypted storage underneath. Do you think that's OK for a homelab, or should I invest time into integrating HSM modules from Nitrokey?

[–] [email protected] 1 points 1 year ago (1 children)

Why are you pushing for your own CA in the first place?

[–] [email protected] 1 points 1 year ago (1 children)

I would not like to use a public domain for my internal network. By extension, I do not want any public CA to know the domains and subdomains I use in my lab and home network

[–] [email protected] 1 points 1 year ago (1 children)

Okay that's fair but if your only concern is about "I do not want any public CA to know the domains and subdomains I use" you get around that.

Let's Encrypt now allows for wildcard so you can probably do something like *.network.example.org and have an SSL certificate that will cover any subdomain under network.example.org (eg. host1.network.example.org). Or even better, get a wildcard like *.example.org and you'll be done for everything.

I'm just suggesting this alternative because it would make your life way easier and potentially more secure without actually revealing internal subdomains to the CA.

Another option is to just issue certificates without a CA and accept them one at the time on each device. This won't expose you to a possibly stolen CA PK and you'll get notified if previously the accepted certificate of some host changes.

openssl req -x509 -nodes -newkey rsa:2048 \
-subj "/CN=$DOMAIN_BASE/O=$ORG_NAME/OU=$ORG_UNIT_NAME/C=$COUNTRY" \
-keyout $DOMAIN_BASE.key -out $DOMAIN_BASE.crt -days $OPT_days "${ALT_NAMES[@]}"
[–] [email protected] 2 points 1 year ago (1 children)

My apologies, I didn't word my concerns properly in the moment. I would like to run a private CA simply because I do not want to use a public domain for my internal network. It makes me deeply uncomfortable to use a public domain and get public certificates for something inherently so private (it's more philosophical than technical, although I suppose that's where a lot of opinionated technical decisions come from anyway). Your solution is elegant and simple, but I really do want to do it completely internally, and move towards zero trust security practices as I do. Basically, I want to start training myself on the security side of SRE in my lab, running services which matter to me and working like the more paranoid SRE teams in corporations work....I know this sounds like fantasy, and my needs might change going forward, but I'm also hoping to learn a lot from this and hopefully make this as robust as I can. Having a good security posture makes me feel warm inside :)

[–] [email protected] 2 points 1 year ago (1 children)

It makes me deeply uncomfortable to use a public domain and get public certificates for something inherently so private

You can obviously run your own CA, great exercise but why? What really makes you that uncomfortable? Once you go with the wildcard nobody will know about your internal hosts or whatever. Even if the domain is taken down, you're offline or wtv your local DNS server will still be able to serve replies to those internal subdomains. You don't need to publish those subdomains (A records) in a public DNS server, just on your own internal DNS server.

I guess if you rally want to take the CA route those tools I provided before are the best option. Simply issuing a certificate (without a CA) and allowing it on a browser might also work for you - less risks of stolen PK as described.

I hope the links and tips helped you in some way.

[–] [email protected] 1 points 1 year ago

Thanks!

[–] [email protected] 6 points 1 year ago (1 children)

I don't at the moment, because I don't have a need for it, but I did for a while run a PoC with Step CA, and that seems like the easiest way to get up and running, even if its features are overkill for a home lab.

[–] [email protected] 2 points 1 year ago (1 children)

Step CA is really nice if you want to learn more about how a real CA works. Had some fun playing with it but yeah it's a bit overkill for home lab xD.

You can achieve the same result with openssl with less complexity !

[–] [email protected] 1 points 1 year ago

Thanks, I have been recommended Step-CA a few times under this post, I'll take a look!

[–] [email protected] 4 points 1 year ago (1 children)

I run a crude automation on top of OpenSSL CA. It checks for certain labels attached to kubernetes services. Based on that it creates kubernetes secrets containing the generated certificates.

[–] [email protected] 1 points 1 year ago (1 children)

I would be very interested in your setup. Could you give me a high-level overview of how your setup works?

I'd also like a link to your automation/configuration if you would. Thanks!

[–] [email protected] 4 points 1 year ago (1 children)

I just uploaded to Github: https://github.com/akashrawal/nsd4k

I only made it for myself, so expect very rough edges in there.

[–] [email protected] 1 points 1 year ago

Thank you!

[–] [email protected] 3 points 1 year ago (1 children)

Self-host your own ACME server. Then you can use certbot pointed there.

These instructions are old so not sure if newer/better ways, https://blog.sean-wright.com/self-host-acme-server/

[–] [email protected] 1 points 1 year ago

Thank you, I was looking to host Step-CA, whilst OpenSSL is another option. I'm also planning to combine it with a vault for secrets like Conjur and encrypt the volumes underneath. I want to reach the best security posture possible in this kind of setup

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (2 children)

I run easy-rsa on a linux box. Just manually generate CSR's and sign them via SSH.

And simply trust the CA cert in windows, linux and whatever extra places (normally firefox cert store).

Post the crl.pem to /var/www/html/ and let NGINX use that.

For most things public like plex or whatever i just use letsencrypt. Easy-rsa is really just for internal stuff like my NAS, VPN etc.

load more comments (2 replies)
[–] [email protected] 2 points 1 year ago (1 children)

I run a private CA for client SSL.
For traditional server SSL I just use let's encrypt, although I already have the domain (less than $10 a year) for my public facing stuff, and just use a subdomain of that one for my homelab.

I have a container with openssl for the private CA and generating user certs as well as renewing the let's encrypt ones. I just use openssl without anything fancy.
The output folder is only mounted rw in that one container
I only ever mount the subfolders in read-only in other containers that need those certs.
All these containers are running on the same server so I don't even have to copy anything around, the containers don't even need connectivity between them, it's just mounted where needed.

[–] [email protected] 1 points 1 year ago (1 children)

I'd be very interested to hear your reasoning behind using a private CA for clients but using Let's encrypt for servers. Thanks for the explanation on the OpenSSL setup!

[–] [email protected] 2 points 1 year ago (1 children)

I'm just doing mutual TLS to authenticate clients which I use the pricate CA for.
I could use the orivate CA for the server instead of lets encrypt and trust that on devices, but letsencrypt is easy enough and useful for other things that I open publicly. mTLS avoids needing a vpn for more sensitive services

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Did you design your lab infrastructure to operate in a zero trust security framework? I'm very interested; I never really grasped mTLS, but I'm going to try and read more about it. Thanks!

Edit: Alright, I understand the high-level concept of mTLS. Just need to check the implementation details with my reverse-proxy

[–] [email protected] 2 points 1 year ago (1 children)

Not really, although now that I have certs for those anyway, maybe I should.
More like I'm using some services on the go that I want to always work, whether I'm on the LAN or on the go.
Opening home automation or 3d printers to the Internet is unwise to say the least.
mTLS in the reverse proxy for those allows me to have more security without having to establish a VPN first.

[–] [email protected] 2 points 1 year ago (1 children)

Oh, that's a great idea! Indeed, using certificates to identify yourself would work quite well in such a scenario. Whilst I would always use a VPN server, this has given me something new to think about! Thanks!

[–] [email protected] 2 points 1 year ago (1 children)

What's nice is it provides a similar level of protection to using a VPN with PKI, but just for that specific subdomain. While a VPN would be have to be connected manually before use (or all the time), this is built-in.

The odds of someone breaking through the mTLS and breaking through that application's security at the same time are much smaller than either separately.
If you don't have a valid cert, you're dropped by the reverse proxy before anything even gets passed to the server behind it.

I'm a big fan of it.

[–] [email protected] 2 points 1 year ago

I'll take a look, thanks!

[–] [email protected] 2 points 1 year ago

I do have Vault PKI set up but I don't use it that much. It's only if I want to do mTLS with something.

For almost all of my actual services, I use a wildcard cert that covers something like *.int.example.com. I use acme.sh to create and renew the cert then have a python script that copies it to any vms or services that need it

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CA (SSL) Certificate Authority
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
NAS Network-Attached Storage
SAN Storage Area Network
SBC Single-Board Computer
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
k8s Kubernetes container management package
nginx Popular HTTP server

[Thread #324 for this sub, first seen 1st Dec 2023, 23:25] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 4 points 1 year ago (1 children)

Bad bot. You don't want to tell us what a CA is?

[–] [email protected] 3 points 1 year ago

Obviously California or Canada.

Ah sorry this is a tech community so obviously it is computer animation.

[–] [email protected] 1 points 1 year ago (1 children)

Why bother with certificate rotation in a homelab environment? You could issue certificates for three years and just call it a day.

Personally, I have experience with Microsoft Certificate Services, which works pretty well out of the box and is also quite well supported. But you need a Windows Server for it.

[–] [email protected] 1 points 1 year ago

It's just a personal feeling really, I feel better having them being rotated. Of course, when it comes to rotating client certificates, I might have to think long and hard about the pain I'm about to inflict on myself.

I'll take a look at MCS, although I'd prefer not having to trust Microsoft on things critical to my lab

load more comments
view more: next ›