So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

  • Omripresent@leddit.social
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Shouldn’t be any risk if it’s all local.

    For an internal domain you’ll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you’ll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let’s say yourbank.com

    If you have the CA’s key under lock then you should be good.

    • pacocascadero@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Don’t use internal domain, use standard domain + split DNS instead. Much simpler to handle certificates for internal services with ACME protocol.

    • root@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Gotcha. Yeah I read about doing a self-hosted CA, but then I have to add the cert to every device that needs access to the service, which I don’t think the family would be thrilled about. I was going to use the cert generator in NGINX and use the key from my actual domain. This way I don’t need to add the certs manually.

      My only worry is exposing something accidentally, but if my firewall rules prevent any outside access from my services (Jellyfin, Nginx, Homelab, etc) and the only thing with internet is the device accessing it (a laptop or TV), then I think I should be ok…

      • Omripresent@leddit.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If you have a domain you own that’s the way to go, I went by your .home naming assuming that’s what you’re using. Since .home can’t be registered similar to .local, LetsEncrypt wouldn’t be an option.

        I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      For an internal domain you’ll need to set up your own internal CA

      No real need to run your own CA. As long as you have an actual domain name, you can use Let’s Encrypt with DNS challenges to get certificates for internal servers.