I find it increasingly irritating that modern browsers insist on complaining more or less annoyingly about http:// URLS or websites with self-signed certificates, and that there is no easy way of turning these complaints off. There is really no need for SSL or TLS for various utility pages inside my home network, and yet without SSL with a valid certificate there is this constant annoyance.
So I have been looking into getting a valid certificate for my home network, and the only way that makes sense is to somehow get Let’s Encrypt to work inside my LAN. Everything else is way too expensive.
On the face of it the problem is that all of the authentication methods supported by Let’s Encrypt require the use of an official domain name with publicly reachable DNS and/or a publicly reachable website. I do have my domain doulos.at, but I really don’t want to put all my internal addresses into public DNS — most DNS service providers to not support private range addresses anyway.
So, here is what I came up with:
Every internal host which needs a certificate gets a name in the doulos.at domain, and a CNAME entry in the public DNS for doulos.at, pointing at the server this blog is running on. The names of these hosts are added to the Let’s Encrypt certificate for this server; to authenticate them using the Certbot Apache plugin the names point to a simple placeholder vhost on this server.
In my home network I run dnsmasq as my nameserver which allows me to create CNAME entries for these hosts pointing to the internal hostnames for these hosts.
Because the Let’s Encrypt certificates expire after a relatively short time and need to be renewed, I also have a cron job which checks whether the certificates have been renewed (by checking the MD5 sum of the certificate file), and if so, copies the new certificates to my internal server and restarts Apache or Webmin.