I have been using the Let’s Encrypt add-on for some time and this has worked perfectly for the purpose of just Home Assistant. However, I want to make use of the cert in some docker containers on other machines running things like Emby etc.
I have altered the config so it now generates wildcard certificates so I can split services into subdomains, but now I have hit a couple of issues:
The plugin requires manually starting or for HA to be manually restarted (add-on set to run at boot) to generate updated certificates when the 3 month window hits. This was historically not an issue, but very soon Let’s Encrypt will no longer send reminder emails. Because I very rarely reboot my HA, this could quite easily lead to an out of date certificate if I forget to renew it. This is a minor concern, but something I need to think about.
and more importantly:
Obviously the cert files this add-on generates are stored in the correct location for HA to use them. At the moment, I just copied them from the ssl folder and manually placed them on the other machines I want to use them on - but moving forward this will be a massive laborious pain. One thing I thought about was changing the add-on config so it only generates for 1 subdomain (ie. ha.name.com) then using a docker somewhere else to generate other certificates (Cert bot?).
What would be the easiest way to make use of and distribute this cert to possibly many many dockers and other applications every time it renews? What do others do here in this situation? It was suggested to me recently that I would setup a reverse proxy and put the certs there, but I use a mesh VPN to access my network and do not open ports in my router. I don’t know if that is applicable to my situation? I’ve never really dealt with things like SSL certs and reverse proxies so please forgive me if this is both an obvious and silly question - but it’s just not something I can had to deal with before. Any advice would be greatly appreciated
NOTE
I have 2 proxy and 80/443 were not available so I use caddy module for my domain provider to request cert using txt record. Basically instead of letsencrypt talking to server on ports 80 and 443 I gave caddy api code so it can just add record at my domain host so letsencrypt could verify my control of domain. This was helpful since I only use caddy for my internal lan domain.
No, I don’t use a reverse proxy - there’s no external access by means of open ports in my router. I access my LAN using a mesh VPN (tailscale) and use DNS rewrites (because every device connected to the VPN uses my own DNS server). So when a device tries to connect to homeassistant.mydomain.com it is forwarded to the correct mesh IP eg. 100.1.2.3. (Does this mean I am essentially MITM’ing my own devices so the cert is valid? ) The domain is for internal use just because I wanted SSL without all the self sign certs and nagging from browsers (even thought the mesh VPN encrypts everything, the browsers are unaware of this and still nag). This works well, I just don’t want to have to distribute the cert that the HA add-on has generated manually to other dockers/hosts as it will be a PITA.
Caddy looks interesting. I’ll give it a look, thanks. I think the main issue here I am dealing with is less about the certs and more about how to automate their distribution to different servers. Caddy seems to suggest it can help with that. I also came across HashiCorp Vault.
My current caddy setup is internal only and requires no open ports.
If these are docker hosts you can pretty much have caddy generate certs and and bind mount caddy cert folder (read only) in each container or possibly utilize caddy as proxy and place it on tailnet(need to consider how this would work fully)
I think this is the approach I am after, thanks! I will have a play around with Caddy and my tailnet and see what I can come up with
I get that. It’s more because I get fed up with browsers nagging and since the certs are already generated, I thought I may as well make use of them. It also opens the possibility of using external access in the future if that’s something that’s needed.
If the certs are locally generated, they won’t be accepted externally.
You would need to use let’s encrypt or something to generate the certs at that point anyway.
I can go with dog story and then I will end with ban.
Why not if you can do it?
It is just a line of defense, not very hard to set up. So why not.
I’m accesing most of the things, not all, over ssl in my local network.
There are some things to and I will do it when I cache time like mqtt over ssl for my local network.
Open ports are not required if you use the caddy module for your hosting provider . As a side note, you take the standard caddy file and put it in a dockerfile with module to create new caddy docker image with module.
I run local DOH resolver and alias(forget term) the domain I have for local network so it never leaves firewall. Local https is unnecessarily (even though helpful for esphome maybe ) but I did for more professional look or boredom.
In the end I just wanted to local test caddy. Local ssl not necessary but good practice if you can do it with ease. I redid majority of docker network and local in 2hrs. Part of this was to block external to WAN for docker containers and force all through proxy or restricted docker network. I don’t trust some containers and others just shouldn’t get more access than required. This allowed me to do this.
I already use the let’s encrypt add-on. The whole point of this was to be able to use those let’s encrypt generated certs on other machines. I probably didn’t explain this properly, sorry.
The HA add-on has certain limitations that (from what I now understand) Caddy addresses.
Pretty much my thinking.
@tmjpugh thanks again for all the info and pointers. You’ve got me totally in the right direction. I’m quite confident I know what I am doing now - or at least what I am trying to do
) The domain is for internal use just because I wanted SSL without all the self sign certs and nagging from browsers (even thought the mesh VPN encrypts everything, the browsers are unaware of this and still nag). This works well, I just don’t want to have to distribute the cert that the HA add-on has generated manually to other dockers/hosts as it will be a PITA.