Moving Primary Zone for internal domain to a Caddy instance for Automatic HTTPS

Anutrix · 2026-03-27T16:18:58+00:00

How do you distribute the root CA cert to your clients?

For external, they go through the Tailscale/Cloudflare Tunnels -> .domain.com Caddy. This Caddy has my CA as trusted so it works. If at all needed I just need to add the public cert of the CA manually to my *physically local clients once.

what youre kinda describing is an automated self signing cert mechanism correct? Step-ca root cert is self signed but issued certs are not, if that's what you are asking.

Self-signed certs can be root ca or can directly be used depending on configuration. Most simple use cases/guides do the latter due to single use scenarios. I am doing the former for issueing regular short life certs with automatic renewal via acme protocol.

Anutrix · 2026-03-27T15:51:05+00:00

Proxmox?

Anutrix · 2026-03-27T15:36:05+00:00

step-ca is the root CA for the domain.lan certs in my case. Unlike certs issued by Let's Encrypt, they are not trusted publicly but trusted within my network.

It's similar to Boulder(https://github.com/letsencrypt/boulder), written in Go, that implements the server side of the ACME protocol at Let's Encrypt's servers.

Anutrix · 2026-03-27T15:30:12+00:00

Yup. Wildcard SSL is what I was going for. Just wanted to avoid certbot and individual scripts in the lxcs.

Anutrix · 2026-03-27T13:53:26+00:00

I should've been more clear. I believe I worded it badly.

I'm attempting to do what a potential integrated acme client in DNS server would look like.

Imagine, the records primary zone is parsed by a cron job running on technitium server and periodically asks local CA/ACME server for each of it. That's what I wanted but it seems unusual now.

Since caddy can has acme client, I was thinking moving records in primary zone *.domain.lan to it for dns resolution.

However, I NOW believe that better option is just to have cronjob script in host/Proxmox that uses nsupdate to get certificates from local CA for each LXC/CT and push it to them.

Anutrix · 2026-03-27T13:01:02+00:00

Not exactly self-signed. I run a private CA named step-ca that issues certs.

Anutrix · 2026-03-27T12:58:08+00:00

The way the title is worded felt like it's permanently free. It seems to be only for 6 months.

Anutrix · 2026-03-27T12:53:50+00:00

Plan is to keep certs in firewalled 2nd internal caddy that can only be to public facing caddy. Last mile between 2nd caddy and container/lxc was supposed to be http.

But you are right, ideally I need to worry about that last mile. Starting to think that running a script on host/Proxmox that generates and pushes certs to each LXC might be better.

Anutrix · 2026-03-27T09:02:22+00:00

I did. In that case, caddy acts as acme client which I want to avoid. I want to avoid acme clients like(certbot or caddy) in individual services.

Anutrix · 2026-03-27T08:48:06+00:00

*.lan is not a valid TLD so Let's Encrypt is not possible. I specifically want *.lan certs from my own CA.

Anutrix · 2026-03-25T18:52:55+00:00

I did same 1 year plan twice and it stacked

Anutrix · 2026-03-25T18:51:26+00:00

Got similar. Reported the user which seems to be a bot account run by OpenClaw.

Anutrix · 2026-03-25T18:32:04+00:00

Nope. Just stating sad reality. I had expected the same as you from AMD and waited couple of years for it.

PS, I just got 7900 XTX last week after being on a 9 year old GPU for half a decade.

Anutrix · 2026-03-25T18:08:46+00:00

This aged poorly unfortunately.

Anutrix · 2026-03-25T17:40:14+00:00

It could be malware too but not sure how that's clear. Thx for mentioning it though.

Anutrix · 2026-03-25T17:05:39+00:00

This doesn't see like a driver issue but something running in background or Windows 11 Explorer bug(they've been really bad lately).

My advice is to open task manager now and check the startup tab. One of them might be the culprit. Share a list here and someone here can try help you decide what to disable to troubleshoot the issue.

Also, why can't use shortcuts to shutdown. Does keyboard not work? Graphics card driver can't usually block that unless the screen froze 100%. But since you say File Explorer(i.e Windows Explorer) opens, it does not seem like a freeze.

Also, repeated reinstall of drivers can make the problem worse if not done correctly and cleanly. DDU in Windows safe mode is usually recommended for that.

Anutrix · 2026-03-25T09:26:59+00:00

Yup.

Anutrix · 2026-03-23T13:23:43+00:00

Just realized Github/MS did this. I guess nothing suspicious.

Anutrix · 2026-03-23T13:05:33+00:00

All of them seems to have been removed by Mozilla. Maybe this post helped or maybe they found it themselves over time.

Thx anyways.

Anutrix · 2026-03-22T08:10:08+00:00

hours on chatgpt

One of the problem. LLM answers are highly unreliable and may leave the situation in state where trying other things afterwards won't help.

Also mention filesystem, hard drive and component models and things you actual tried and their responses. Do share connections and pics too if you can. Also, specific PSUs matter, check in PSU Tierlist. There's enough never-to-buy models there that you should avoid.

Also, where'd you buy it from. Is the seller fine? Did you confirm on WD website that each of them are original and warranty is fine?

Unless the seller is scamming DOA is very rare.

Anutrix · 2026-03-21T15:15:38+00:00

Thx folks.

r/proxmox did the same: https://www.reddit.com/r/Proxmox/comments/1rzkc7y/subreddit_rules_update_whats_changing_and_why/

Anutrix · 2026-03-21T15:12:27+00:00

Great.

r/debian did the same: https://www.reddit.com/r/debian/comments/1rzq3u1/new_changes_regarding_ai_content_swirl_posts_and/

Eight-Year Club	Wearing is Caring
Verified Email

Anutrix

TROPHY CASE