Butingtaon's Corner

Posts by type
Other

SSL and TLS Certificates

When people go to websites and use online services, people need to make sure that:

  1. They are given assurance they're connecting to the right server, and
  2. Their activity on those sites are not spied on by malicious third parties.

SSL Certificates provide these two guarantees to within a reasonable margin, allowing people to transact over the internet securely. They are electronic certificates that bind a cryptographic key to a domain name.

As i'm serving multiple services via the same domain name out of my homelab, I've soon learned that I would need to use wildcard certificates that I've generated myself via Let's Encrypt's certbot tool if I wanted any sort of guarantee that people wont get SSL errors when they visit any of my sites. For the first few weeks I relied on Caddy's auto-HTTPS functionality, and was losing hairs off the top of my head for it. Maybe because I'm using Pagekite to punch through CGNAT, something between Caddy and Pagekite is causing Caddy to throw up bad SSL certs or is unable to provision them at all.

Caddy's documentation on wildcard certificates seemed to necessitate using a DNS plugin that my domain registrar didn't have. This put me off of dealing with that for a week or two. More stress was had and more hairs were lost. Thank goodness I found this Medium article which showed how one can do the DNS challenge manually.

With that I went ahead and configured my caddy configuration like in the above docs, but using a key/cert pair that was issued to me directly instead of one auto-generated by Caddy.

The certbot invocation I used: 

sudo certbot certonly \
  --manual \
  --preferred-challenges=dns \
  --email your@email.tld \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  -d *.yourdomain.tld

Certbot will tell you to add a TXT DNS resource record, and to only hit enter after you've added it using your DNS console. After it verifies the challenge, Certbot will give you the full path of the certificate and key it has issued. Go and install this key/cert pair on your web server.

By default, this key/cert pair will be valid for three months. For someone running a homelab on their spare time, that's perfectly fine for me!