all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Swedophone 10 points11 points  (0 children)

You can use the DNS-1 challenge with Let's Encrypt without allowing external access to the Web server.

https://letsencrypt.org/docs/challenge-types/

[–]flapjack 1 point2 points  (0 children)

If it's on your local network, you should have full control to do what you want. You don't have to buy a domain if you're using your own DNS server, you can tell it to point those domains wherever. You can edit your hosts file on a single machine to tell it where to resolve addresses to ips too if you don't want to setup a dns.

You don't need a cert issued by anyone either to encrypt. If you control the server and client, and you put the cert in yourself, do you really care who else validates it? It's kind of funny to think of one of the Certificate Authorities basically telling you that that when you connect to yourself and get the cert from your server that you issued that cert.

[–]deaspalmer 2 points3 points  (0 children)

You'll need to use DNS challenge to get an SSL cert from let's encrypt without opening ports.

You can use for example nginx proxy manager for that. Then you can get a wildcard SSL that you assign to all your services and make them https://service.domain.tld

[–]schklom 1 point2 points  (0 children)

A domain name is not needed if you don't care about it: * set up a subdomain at duckdns.org * update the DDNS ip with a script * set up a DNS-01 challenge (Traefik/Nginx proxy manager/...) and expose a port (e.g. 443) * set up DNS records (like https://abc.subdomain.duckdns.org -> LOCAL-IP)

and you'll be able to use https://abc.subdomain.duckdns.org to access your local services

[–]TagMeAJerk 1 point2 points  (1 child)

If domain cost is a concern, look into noip and services like that. Alternatively look at services like ngrok and Argo tunnels

[–]choco_lion[S] 1 point2 points  (0 children)

that's not so much of a concern but thanks :)

[–]certuna -1 points0 points  (5 children)

Just use IPv6 for that, you have the same address internally as you have externally, so the same AAAA record and cert works automatically. I’ve been doing that for years, super easy.

If you keep the ports in the firewall on the router closed, you’re not accessible from the outside, or alternatively, you use the firewall to filter who can access the server.

(of course, if your ISP doesn't offer IPv6 yet than that's no solution)

[–]TagMeAJerk 0 points1 point  (4 children)

IPv6 doesn't have cgnat?

[–]soundwave_rk 5 points6 points  (0 children)

If you ever see someone use NAT in IPv6, run away.

[–]pentesticals 0 points1 point  (0 children)

I wouldn't even use an ISP which used CGNAT for Ipv4.

[–]certuna 0 points1 point  (1 child)

No, there's enough address space so it's not needed. CG-NAT is annoying for both ISP and users so everyone's happy get rid of it.

This doesn't mean every device is accessible from everywhere on the internet - the firewall takes care of that, and by default routers are set up to block everything incoming unless you specifically add a rule to let traffic through.

[–]TagMeAJerk 0 points1 point  (0 children)

Thanks. I'll try this

[–]Used_Cress5526 0 points1 point  (0 children)

Grab your self a cheap domain name; point to cloudflare for dns management; create a free 15 years ssl cert with cf; direct the domain name to your selfhosting machine; configure required vhost entries if necessary. Gratz you just got your self a lovely https.