So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

  • AyyLMAO@exploding-heads.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 years ago

    Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access?

    If you’re using a third party CA, periodically renewing certificates in my experience. The authority needs to be able to connect to the device it’s issuing a cert to, for it to handle a security challenge iirc.

    If you set up your own CA, none that I know of.

    My main goal is to keep my home setup off of the internet.

    Then I don’t understand the need for neither domain names nor third party signed certs. Can’t you use PiHole as a configurable DNS server, just make any domain name go to any of your local devices?

    • root@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 years ago

      That was my concern too. NGINX would need access to the internet in order to renew the certs.

      Then I don’t understand the need for neither domain names nor third party signed certs. Can’t you use PiHole as a configurable DNS server, just make any domain name go to any of your local devices?

      Yes, that is how it is currently setup, and how I may end up leaving it. Right now, I can go to jellyfin.home, and that request gets routed to my pihole which has custom DNS entries, which then points to NGINX and NGINX forwards it to the correct IP/ port. All works as expected, except it is not https (which is not that big of a deal since all my stuff is restricted from the outside world). Just an OCD itch I’m trying to scratch.

      • AyyLMAO@exploding-heads.com
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        2 years ago

        Hey, I advocate https even for LAN only, most people don’t think about the Wifi attack vector. That’s why I use self signed certs on my LAN stuff, I just don’t care about that yellow padlock that disappears when I trust the website. I’ve only experienced a single app ever that didn’t accept self-signed (I’m looking at you wallabag app).

        I can understand how it would be different if family members suddenly starts asking if it’s true when their devices tell them the webside is potentially dangerous.

        Yes, it’s dangerous to surveillance capitalism

        People… watching money?

        Forget it, I’ll set it up with a regular cert and external access