A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Nginx Proxy Manager and SSL certificates in LAN environment, how to do that?
Hi,
I host all of my services in the LAN network and do not expose any of them outside. I would like to give them human-readable addresses and SSL certificates, because my householders freak when they see ip address and warning from the browser about SSL cert.
I'm sick of constantly explaining why it is not necessary in LAN, that's why I would like to have that certs and DNS, but I don't fancy buying real domain.
I have tested, that I can set **service.**randomname.lan or anything similar, that does not exist in the internet, in DNS, and it works just fine, but what about SSL certificates?
How to generate them with Nginx Proxy Manager for the domain that does not exist in the internet?
I hope, that is clear what I'm tying to do. Cheers!
Don’t know about nginx proxy manager. But i recently wrote a tutorial on how to get a proper certificate: https://gist.github.com/ioqy/5a9a03f082ef81f886862949d549ea70
Before I made it, I asked if there are people interested in such a tutorial because certificates are a common question here. There was some interest, so I made the tutorial and sent it to the people. But so far no one gave me any feedback. So if you are going to check it out, I would greatly appreciate any feedback.
If you don't have a real domain and real certificate you are going to get certificate warnings. Long term, it would probably be easier to spend a few bucks for a cheap domain, from a provider that supports dynamically changing records, and then set your self up to get the certs via the DNS-01 challenge.
Even if you run your own internal DNS with a fake domain, and self-sign certificates you are going to get tons of certificate warnings and errors on your clients, since your certs won't be from a trusted CA. Even if you run your own CA, distributing the CA cert to all your devices, and all the various browsers, clients and so on can be very annoying.
Anyway if you really think you want to, you probably need to generate them outside nginx proxy manager and import them or something. See the google results for self sign certificate.
So I have a couple domains, and I obtained wildcard SSL certs from let's encrypt. I used my VPS to get the certs since my home ISP seemed to be blocking a couple ports. It sounds like Cloudflare might be a good alternative if you have trouble with your home ISP. After I had the certs installed on my Nginx setup I used my pihole to direct https://internal.<mydomain>.<tld> to the IP hosting Nginx.
You do have to renew let's encrypt certs regularly but that can be automated.
You have two options. You get a domain name and use a DNS challenge to get a certificate, which doesn't require you to open any ports. Or, you make your own Certificate Authority and self sign your certificates, which requires you to add your personal CA to every device that would use it.
I find the former easier. You can get a free domain from DuckDNS. Point it to an internal IP (you don't need to set up their software, that's just to update your public IP, but since you're pointing it to a local one, it's not needed), and then get a certificate with certbot with the --manual flag. Complete the DNS challenge, tell nginx where the certificates are, and voila, you have a domain name and a cert, without any open ports. Make sure to register a wildcard domain name tho, so you can use as may subdomains as you want with the same cert.
In order to obtain an SSL certificate, you have to use a real domain. Basically, your Nginx Proxy Manager tells LetsEncrypt "hey, I want an SSL certificate". Then LetsEncrypt says "Ok, let me make sure your domain name is valid and reachable." If they can't reach your Nginx Proxy Manager from the outside world, they can't get a valid certificate.
You'll need to obtain a domain ($10/year), set up the subdomain to point to your server, and open up ports 80 and 443. If you want these to be internal only, you'll need to build a profile in Nginx Proxy Manager to deny traffic from outside IP addresses afterwards.
This is mostly correct except for the need to expose ports, there's absolutely no need to expose anything. CloudFlare + DNS challenge will do the trick. There are probably other providers that can do it automatically for you too.
I don't expose anything to the internet and use NPM, I have the domain in CloudFlare and use DNS challenge. I'm not near a computer just wanted to let you know it's possible. From the top of my head my domain is proxied in cloudflare to 8.8.8.8, I created a CloudFlare API key that allow changes to my domain and on NPM I setup DNS challenge on the wildcard certificate where I input the API
I'm not sure you can with NPM because it uses Let's Encrypt to assign the certificates which needs access to the domain it's signing.
A self signed certificate would work but you'd then have to add it as a trusted certificate on the devices you want to use it with, though I'm not super knowledgeable in that area so I could be wrong.
TechnoTim made a great video using Traefik which I’d really recommend you have a look at https://youtu.be/liV3c9m_OX8