So, I have a few services (Jellyfin, Home Assistant, etc) that I am running, and have been acessing via their IP’s and port numbers.

Recently, I started using NGINX so that I could setup entries in my Pi Hole, and access my services via some made up hostname (jellyfin.home, homeassistant.home, etc).

This is working great, but I also own a few domains, and thought of adding an SSL cert to them as well, which I have seen several tutorials on and it seems straight forward.

My questions:

  • Will there be any issues running SSL certs if all of my internal service are inward facing, with no WAN access? My understanding is that when I try to go to jellyfin.mydomainname.com, it will do the DNS lookup, which will point to a local address for NGINX on my network, which the requesting device will then point to and get the IP of the actual server.

  • Are there risks of anything being exposed externally if I use an actual CA for my cert? My main goal is to keep my home setup off of the internet.

  • Omripresent@leddit.social
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    1
    ·
    1 year ago

    Shouldn’t be any risk if it’s all local.

    For an internal domain you’ll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you’ll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let’s say yourbank.com

    If you have the CA’s key under lock then you should be good.

    • pacocascadero@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Don’t use internal domain, use standard domain + split DNS instead. Much simpler to handle certificates for internal services with ACME protocol.

    • danA
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      For an internal domain you’ll need to set up your own internal CA

      No real need to run your own CA. As long as you have an actual domain name, you can use Let’s Encrypt with DNS challenges to get certificates for internal servers.