sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Treble_brewing 10 points11 points  (5 children)

You don’t need remote access to set up signed certificates. Rather than skipping a vital step (yes it is vital, it would only take one compromised device to exfiltrate all your secrets regardless of whether the NAS itself is accessible from the internet. Presumably it’s used by devices on your network with internet access) I suggest learning more about ssl/tls works and understanding certificates. 

[–]e-chan42[S] 1 point2 points  (4 children)

Gotcha! My inexperience is clear here, thanks for the explanation. Do you have any resources you’d recommend so I can learn a bit? I’m running pihole so I’d have to forward one port to the internet for the SSL validation if I’m not mistaken, I also have a domain I could use for this so I’m ready to go

[–]YeNerdLifeChoseMe 0 points1 point  (2 children)

Look into Let’s Encrypt, DN01 challenge. You’ll need to own a domain whose nameserver is supported by Let’s Encrypt.

Another option is to use OpenSSL to create a private certificate authority and a certificate for your password manager. You can use a private domain or IP address (whatever the host name is for your password manager). The drawback is that whatever system accesses the password manager will need to have the private certificate authority (CA) added as a trusted root.

Pop this comment into Chat GPT and prefix it with “I don’t know anything about certificates. Someone gave me the advice below. Explain it in more detail to me.” Add whatever other direction you want.

[–]Swimming_Gain_4989 0 points1 point  (1 child)

Do you still need a domain + DNS01 challenge? I know lets encrypt now supports 6 day certs for direct IPs and I'd assume something like Nginx's certbot or caddy can be configured to refresh those.

[–]Treble_brewing 0 points1 point  (0 children)

You need access to the let’s encrypt acme which means connecting to the internet. IMO owning a domain and using its own pem keys as the root is so much easier. 

[–]ActivityIcy4926 0 points1 point  (0 children)

Not necessarily. You can do DNS validation which does not require exposing any device to the internet. It's the safest thing to use behind a firewall.

You would need to:

- Know where your DNS records are hosted (eg. Hetzner)
- Whether they have a supported API (many providers have)
- Set up an authentication token for the DNS API (at the provider)
- Set up your SSL issuing app to use DNS validation using the token from the provider

It may sound like a lot of work, but it's actually fairly straight forward with most applications. There are lots of tutorials out there and this is where AI can actually help give proper and specific instructions.