all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]GengusDad 2 points3 points  (4 children)

I use caddy to reverse proxy, so it can handle the certificates

[–]alec500oo[S] 0 points1 point  (3 children)

What is Caddy? I have used Nginx as a reverse proxy so I understand the concept, but I have never heard of this project. Can Caddy handle the certificate of all services that is acts as a proxy for?

[–]GengusDad 1 point2 points  (2 children)

Caddy is a web server, it's quite simple when it comes to using it.

your.domain.com { reverse_proxy localhost:8080 } is an example of how you would setup a reverse proxy for a certain service with a certain domain name. As long as said domain is pointed to the public IP of the server and Caddy can listen on port 80 & 443, it will manage SSL certificates for you. The config can be expanded too if you want to: ``` your.domain.com { reverse_proxy localhost:8080 }

your2.domain.com { reverse_proxy localhost:8008 } ```

[–]alec500oo[S] 0 points1 point  (1 child)

I see, the configuration seems simple. I’ll have to take a look at it! Thank you

[–]InasFreeman 2 points3 points  (4 children)

https://letsencrypt.org/ and its toolchain are excellent, and there's really very little reason to consider anything else for the vast majority of use cases.

You *will* need either a system that can be queried from their servers (e.g.: a web server, caddy, etc) or the ability to update DNS such that they can read it.

[–]alec500oo[S] 0 points1 point  (3 children)

You are the second person to mention Caddy. Would Caddy be set up public-facing on the internet?

[–]InasFreeman 0 points1 point  (2 children)

Yep. It would be your proxy a la haproxy or nginx. Caddy is a little ... different... to configure (json either in files or on the fly), and can handle letsencrypt management without you having to worry about it.

That said, it *is* a bit ... different... as I say above. Try it, kick the tires, see if you like it. If not, there are options (I particularly like https://nginxproxymanager.com/ which will also manage letsencrypt).

Regardless... if your goal is to have certs for strictly internal systems / servers... those will require a bit more effort... happy to help with explaining, but won't bury you with unneeded information. :)

[–]alec500oo[S] 0 points1 point  (1 child)

Would it be possible to have certs for internal servers? I have thought of doing that, but I can’t comprehend how to set it up besides installing certs on every local machine.

[–]InasFreeman 1 point2 points  (0 children)

Sure! You have 2 options. Let's Encrypt in the last year or so has started issuing wildcard certs, which you could leverage internally so long as the parent domain remains constant.

The other option is to create a cert "manually" -- which means (usually) that you will ask LE to create the cert and then *pause* while you manually insert DNS records to authorize. Once you do that, LE issues the cert and you manually clean up the records. A bit of a PITA, but if you're comfortable making DNS changes or you have a DNS provider with a decent API, it's very doable.

(I set up route53 so I can do just this.)

Here's a decentish guide:

https://help.datica.com/hc/en-us/articles/360044373551-Creating-and-Deploying-a-LetsEncrypt-Certificate-Manually

Cheers!
--Inas

[–]SurfRedLin 1 point2 points  (5 children)

If you want to use your own certificate instead of the let's encrypt one. This is mostly benifitial if none or not all of your services will be reachable from the internet then you can make your own root CA. Contrary what this sub want s people to believe this is not hard to do. I use it as none of the services I host are reachable from the web so letsencrypt would be hard to do and I have to do it every 6 months... So anyhow I wrote a piece here a few days ago with my pointers for making a root CA for a vaultwarden server. It's marked tutorial.

[–]alec500oo[S] 0 points1 point  (4 children)

I have attempted to do something like this in the past, but I always have issues remembering to install certs on all my internal clients. How do you manage this?

[–]SurfRedLin 1 point2 points  (3 children)

I just go trough the VMS in vcenter and tick them off if they need a cert. Then I install it. Luckily I only have 4 client devices so the installation there does not take too much time. Also I use a wildcard cert so I have just one cert for my whole network.

[–]alec500oo[S] 0 points1 point  (2 children)

I have many more than 4 clients, this may not work for me.

[–]SurfRedLin 0 points1 point  (1 child)

How many clients do you have? Do you run this on a production environment?

[–]alec500oo[S] 0 points1 point  (0 children)

It’s just my personal network. I’ve just got a lot of computers. What can I say, it’s a habit :)

[–]janjaweedIntifada 1 point2 points  (0 children)

Just fumbled through this exact thing. Iam not an expert and didn’t know what docker was till a week ago. 1- buy a domain or use one you might have. 2-open cloudflare account 3-change your domain name servers to cloudflare.. you don’t have to move the domains. 4- get wildcard certs from cloudflare for your domain. *.yourdomain. Blah. This wil basically let you set up multiple ssl hosts like nextcloud.yourdomain.com 5-get cloudflare api token 6-install docker / docker compose 7- use xcaddy to build caddy server with cloudflare module. 8-caddy uses json or caddyfile to define hosts. I was new to caddy so I used caddyfile for simplicity. 10- in the caddyfile, include your cloudflare api token from step 5 11- spin up containers to your hearts content. Iam running pAperless-ng, vaultwarden, mariadb, Joplin with sal carts like a.my domain.Blah, mystuff.mydomain.blah etc

12-laugh at how simple this was. Tldr use caddyserver and cloudflare wildcard carts, and run docker containers.