Let's Encrypt cert help needed

johnpoz

@chudak no you can't unless you create a dns record that points to your box for the whatever.new.duckdns.org

If you want to use home.lan you would be out of luck for ACME.. You could run your own CA and use whatever you want, I have finally switch completely over to home.arpa vs my old local.lan domain.

If its only going to be you that accesses these resources your own ca works great, problem is if you want other devices outside of your control to trust the cert, then your own CA becomes problematic..

But advantages to running your own ca and issuing your own certs, is you can use whatever domain you want, you can even add rfc1918 Ips as san on them and your browser will be happy. As long as your browser or app is set to trust anything signed by your CA. And they can be valid for what is the new limit browsers have 398 days vs amce 90 days.

chudak

@johnpoz said in Let's Encrypt cert help needed:

@chudak no you can't unless you create a dns record that points to your box for the whatever.new.duckdns.org

If you want to use home.lan you would be out of luck for ACME.. You could run your own CA and use whatever you want, I have finally switch completely over to home.arpa vs my old local.lan domain.

If its only going to be you that accesses these resources your own ca works great, problem is if you want other devices outside of your control to trust the cert, then your own CA becomes problematic..

But advantages to running your own ca and issuing your own certs, is you can use whatever domain you want, you can even add rfc1918 Ips as san on them and your browser will be happy. As long as your browser or app is set to trust anything signed by your CA. And they can be valid for what is the new limit browsers have 398 days vs amce 90 days.

So I guess whatever I am thinking is not possible.

What is "arpa"?

johnpoz

@chudak home.arpa is the new recommend domain to use for say your home network.

https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

BTW pfsense now defaults to using home.arpa for its domain vs use to .localdomain I think? A clean install of pfsense will set the domain as home.arpa

you can for sure use your acme certs internally - you just need to get to whatever IP you want for your services via the fqdn whatever.domain.tld you have gotten a cert for a wildcard for.

But if you access your device via the name something.home.lan and it presents a cert for something.duckdns.org or whatever cert/wildcard you got from acme - your browser will scream at you - hey this cert is not for where I wanted to go..

chudak

@johnpoz said in Let's Encrypt cert help needed:

@chudak home.arpa is the new recommend domain to use for say your home network.

https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

BTW pfsense now defaults to using home.arpa for its domain vs use to .localdomain I think? A clean install of pfsense will set the domain as home.arpa

I hear you, thx

Just wondering how complicated to change *.lan to *.arpa in pfsense ?

(mumbling aloud :) )

johnpoz

@chudak its pretty simple, just change it here

Where it gets more complicated is if you had certs issued with home.lan before, or any dns records, or clients that think their fqdn is something.home.lan

The one thing holding me back was issuing new certs with new home.arpa vs local.lan, etc.

But depending on what your doing exactly, could be as simple as just changing that one thing.

chudak

@johnpoz said in Let's Encrypt cert help needed:

@chudak its pretty simple, just change it here

Where it gets more complicated is if you had certs issued with home.lan before, or any dns records, or clients that think their fqdn is something.home.lan

The one thing holding me back was issuing new certs with new home.arpa vs local.lan, etc.

But depending on what your doing exactly, could be as simple as just changing that one thing.

Cool, but a bit hesitant, I definitely pass it to my VPN clients and maybe somewhere else.

Will sleep on it

Thx!

johnpoz

@chudak if you have your own dns running were stuff.home.lan resolve to something.. You can always just create an alias in your dns so stuff.home.arpa resolve to the same IP.. until such time you get all of your devices using a search suffix to use the new home.arpa as their search suffix.

chudak

@johnpoz

I am still thinking if trying to address it via nginx redirect, e.g.

but so far, I can't make it to work :(

johnpoz

@chudak because again the browser wants the cert to match the name it is looking for.. Its not going to work, you can not just redirect https traffic like that.

chudak

@johnpoz

I Hera you, just trying different doors …

I guess it’s ok as is after all