Dealing with self certificates · Home Lab Explorers

Oct 14 • DevOps

Dealing with self certificates

Hello, how are you all doing?

Id like to seek some advice on how to deal with self signed certificates. here is the layout of my current environment:

on a simple and humble lenovo thinkcenter, im hosting a baremetal proxmox 9. i have a bunch of apps (technitium, stirlingpdf, convertx, gitlab, actual budget...)

all of these apps are in a debian LXC with each its own docker.

there is a global nginx proxy manager, and with the assistance of small step ca: each has an https endpoint.

it works well. however: i don have auto renewal. everything is running in an internal network, nothing is exposed. i can reach everything through tailscale; DNS and reverse proxy are joined to it; and with them, i can access everything without having to join every container to tailscale

so because of that, i cannot enjoy LetsEncrypt ease of use and its auto renewal

i came across this:

https://github.com/acmesh-official/acme.sh

but to be honest, it requires more knowledge than i currently have... it appears to be well explained, but i get lost reading it

its the whole certificate matter that is just a bi confusing to me to be honest. for instance, another solution that would be okay for me, would be to have a wildcard one; *.lab. but even that i couldnt get it to work (browser was complaining the certificate didnt match). i get lost in between root, CA, "leaf", intermediate authority, secret, key...

but my goal, (is always the same: learn, improve my environment, "reach perfection" would be to have some kind of automatic process, to dispatch renewed certificates to my reverse proxy. smallstep-ca to nginx proxy manager

but of course i am all ears if there is a better approach to this.

thank you very much!

4 comments