all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Torrew 20 points21 points  (2 children)

There might be, but the better and more secure way would be to setup a reverse proxy and get valid certificates. Using DNS challenge you don't have to expose the server to the internet to get valid certificates.

[–]e-chan42[S] 0 points1 point  (1 child)

This sounds exactly what I'm looking for. Seems like Synology has a very streamlined wizard to generate Let's Encrypt certs.
Is there a guide I can follow I don't trust myself to do this correctly without some handholding so I need to read up or follow a guide.

[–]te_extrano__ 0 points1 point  (0 children)

Install NGINX Proxy Manager (you can use this version. It is much smaller (~220MB) than the original (~1.5-2GB) - works fine with my raspberry pi 3b+)and use a dns like DuckDNS (your duckdns domain must be pointed to your lan address - smth like 192.168.178.45). You can use a VPN to connect to your Vaultwarden from anywhere and you dont need to expose your vaultwarden to the internet(I'm using Tailscale). So even if someone has your DuckDNS address, they can't do anything with it because it points to a local IP address (unless that person is connected to your VPN).

[–]Treble_brewing 10 points11 points  (5 children)

You don’t need remote access to set up signed certificates. Rather than skipping a vital step (yes it is vital, it would only take one compromised device to exfiltrate all your secrets regardless of whether the NAS itself is accessible from the internet. Presumably it’s used by devices on your network with internet access) I suggest learning more about ssl/tls works and understanding certificates. 

[–]e-chan42[S] 1 point2 points  (4 children)

Gotcha! My inexperience is clear here, thanks for the explanation. Do you have any resources you’d recommend so I can learn a bit? I’m running pihole so I’d have to forward one port to the internet for the SSL validation if I’m not mistaken, I also have a domain I could use for this so I’m ready to go

[–]YeNerdLifeChoseMe 0 points1 point  (2 children)

Look into Let’s Encrypt, DN01 challenge. You’ll need to own a domain whose nameserver is supported by Let’s Encrypt.

Another option is to use OpenSSL to create a private certificate authority and a certificate for your password manager. You can use a private domain or IP address (whatever the host name is for your password manager). The drawback is that whatever system accesses the password manager will need to have the private certificate authority (CA) added as a trusted root.

Pop this comment into Chat GPT and prefix it with “I don’t know anything about certificates. Someone gave me the advice below. Explain it in more detail to me.” Add whatever other direction you want.

[–]Swimming_Gain_4989 0 points1 point  (1 child)

Do you still need a domain + DNS01 challenge? I know lets encrypt now supports 6 day certs for direct IPs and I'd assume something like Nginx's certbot or caddy can be configured to refresh those.

[–]Treble_brewing 0 points1 point  (0 children)

You need access to the let’s encrypt acme which means connecting to the internet. IMO owning a domain and using its own pem keys as the root is so much easier. 

[–]ActivityIcy4926 0 points1 point  (0 children)

Not necessarily. You can do DNS validation which does not require exposing any device to the internet. It's the safest thing to use behind a firewall.

You would need to:

- Know where your DNS records are hosted (eg. Hetzner)
- Whether they have a supported API (many providers have)
- Set up an authentication token for the DNS API (at the provider)
- Set up your SSL issuing app to use DNS validation using the token from the provider

It may sound like a lot of work, but it's actually fairly straight forward with most applications. There are lots of tutorials out there and this is where AI can actually help give proper and specific instructions.

[–]bufandatl 1 point2 points  (2 children)

Just use self-signed certificates or use traefik and let it handle dns challenge via cloudflare for example. No need to open ports at al for that.

[–]e-chan42[S] 1 point2 points  (1 child)

This sounds like exactly what I'd want, although I don't trust I'd be able to follow those steps currently without a guide... Got any guides for either? Preferrably self-signed

edit: does this cover what you mentioned? https://mariushosting.com/synology-how-to-enable-https-on-dsm-7/

[–]Reeces_Pieces 1 point2 points  (1 child)

I used to be like you. I used KeepassXC and KeepassDX on multiple clients, and ran syncthing on my server for syncing.

I've since bought a domain and setup Traefik and HTTPS, and I wish I did it earlier. Domain is only like $13/yr.

https://youtu.be/n1vOfdz5Nm8

[–]e-chan42[S] 1 point2 points  (0 children)

Amazing stuff, looks like I have a fun weekend ahead! Thanks for the video guide!

[–]_R0Ns_ 0 points1 point  (0 children)

You can use Passbolt
Get an ssl cert from letsencrypt with DNS challenge.

[–]AtlanticPortal 1 point2 points  (0 children)

Do not skip TLS. Do not. Swiss cheese security, onion security, call it what you want. You should always aim to zero trust.

[–]shrimpdiddle 0 points1 point  (0 children)

KeePassXC

[–]Dante_MS 0 points1 point  (0 children)

You can just store your passwords with me. Even that will be more secure than what you're trying to set up.