I currently run an acme server with a self signed root cert for internally hosted services on .home.arpa.
-
I currently run an acme server with a self signed root cert for internally hosted services on .home.arpa. Works well enough most of the time, except when it doesn’t.
I might just transition to *.hq.somedomain.tld and use Caddy’s DNS based verification for a wildcard cert or two.
Might be a bit painful to change. At least it’ll be time consuming. And someone will explain me what a horrible idea it is to use a public domain and DNS for a private network.
@fallenhitokiri have your considered using #tailscale ?
-
I currently run an acme server with a self signed root cert for internally hosted services on .home.arpa. Works well enough most of the time, except when it doesn’t.
I might just transition to *.hq.somedomain.tld and use Caddy’s DNS based verification for a wildcard cert or two.
Might be a bit painful to change. At least it’ll be time consuming. And someone will explain me what a horrible idea it is to use a public domain and DNS for a private network.
@fallenhitokiri So, i am using a public domain and DNS for my tailnet. Because of LE ACME. Since its my homelab net, it doesnt matter that DNS is public
-
I currently run an acme server with a self signed root cert for internally hosted services on .home.arpa. Works well enough most of the time, except when it doesn’t.
I might just transition to *.hq.somedomain.tld and use Caddy’s DNS based verification for a wildcard cert or two.
Might be a bit painful to change. At least it’ll be time consuming. And someone will explain me what a horrible idea it is to use a public domain and DNS for a private network.
@fallenhitokiri tbh. I do believe it is not that bad idea. Makes many things so much easier, I am doing the same, I had enough to deal with certificate trust cross several tools, browsers. And also I am using selfhosted DNS-over-HTTP and DNS-over-TLS and there you are literally done with self-signed certs. So you either pay hundreds of dollars for corporate cert yearly or max 5 usd for vps monthly with caddy. In fact I have my own domain and for this home infrastructure I am using 3rd level domain. Easy peasy, job done. Obviously plus domain cost about 10 euro.
-
@fallenhitokiri have your considered using #tailscale ?
@pfr no. I don’t need most of their features and I don’t fancy running always on VPN for what’s a simple network setup.
-
@fallenhitokiri tbh. I do believe it is not that bad idea. Makes many things so much easier, I am doing the same, I had enough to deal with certificate trust cross several tools, browsers. And also I am using selfhosted DNS-over-HTTP and DNS-over-TLS and there you are literally done with self-signed certs. So you either pay hundreds of dollars for corporate cert yearly or max 5 usd for vps monthly with caddy. In fact I have my own domain and for this home infrastructure I am using 3rd level domain. Easy peasy, job done. Obviously plus domain cost about 10 euro.
@janantos mostly thr same here
except I likely won’t bring in a VPS.Also optimist price for a SSL cert - I had the pleasure to buy an EV cert for signing Microsoft binaries and I never felt so dirty the last 20 years. (Plus the HSM… *sigh)
-
@fallenhitokiri So, i am using a public domain and DNS for my tailnet. Because of LE ACME. Since its my homelab net, it doesnt matter that DNS is public
@ttk ich bin eher nicht so auf dem Tailscale Hype-Zug und mach Netzwerk und vpn wie meine graubärtigen Mentoren es mich gelehrt haben
-
@janantos mostly thr same here
except I likely won’t bring in a VPS.Also optimist price for a SSL cert - I had the pleasure to buy an EV cert for signing Microsoft binaries and I never felt so dirty the last 20 years. (Plus the HSM… *sigh)
@fallenhitokiri for what you describe you might be ok with OV cert and there I would say it will ne few hundreds dollars
-
@janantos mostly thr same here
except I likely won’t bring in a VPS.Also optimist price for a SSL cert - I had the pleasure to buy an EV cert for signing Microsoft binaries and I never felt so dirty the last 20 years. (Plus the HSM… *sigh)
@fallenhitokiri I am using VPS because of DNS server, I am using my own DoH in iPhone to block several stuff (Adblock, tracking, etc)
-
@fallenhitokiri for what you describe you might be ok with OV cert and there I would say it will ne few hundreds dollars
@janantos via my clients contact we have been told by MS that Windows Defender etc. still reacts less aggressive for EV certificates for brand new apps.
Since I’ll have to do this for our project soon I’m curious if this was just wrong and OVs work as well?
-
@janantos via my clients contact we have been told by MS that Windows Defender etc. still reacts less aggressive for EV certificates for brand new apps.
Since I’ll have to do this for our project soon I’m curious if this was just wrong and OVs work as well?
@fallenhitokiri I believe sou can’t sign app with OV only cert. Sorry I missed sou are issuing cert for app signing. My fault.
