Comment

Comment on Just another "we are all going to die" prediction

Many people (me included) like the appeal of a self signed cert in a small homelab. You basically get certificate pinning for free after you trust the cert on all clients.

With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant. And you have to give your NAS write access to your API key of your DNS registrar

source

Sort:hotnew top

dan@upvote.au ⁨1⁩ ⁨week⁩ ago

With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant

The DNS recordz for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the _acme-challenge subdomain has to be public. Let’s Encrypt does follow CNAMEs.

And you have to give your NAS write access to your API key of your DNS registrar

You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.

source