I realize that this topic has been beaten to death, but I’ve yet to come across a solution that will work for me.

I’m familiar with Let’s Encrypt, which obviously works super well for it’s intended use, but what about for services where you can’t run certbot? eg: iDRAC, routers, switches, etc.?

I currently have a LE wildcard for my domain, which I use only locally (for now), but having to manually update the certs every 90 days for devices that can’t run cerbot is a hard pass.

Is my only solution to this scenario to set up my own CA and go about it that way? If so, is there anything out there that will help assist the management of certificates and deployment of root certificates to clients? I know that this can be done via GPO, but I don’t have a Windows computer on my home network.

I suppose another option would be to use a reverse proxy, but I would prefer to not have to go that route in this specific case if there are other options available.

Anyway, interested in what others are doing to address this.

3 points

Can you have the cert be generated on a server and then sync it to your hardware with scripts or ansible?

permalink
report
reply
1 point

I would also like an answer to this.

My solution so far has been to just purchase full 1y certs and then it’s a problem that I only need to look at once a year

permalink
report
reply
1 point

Why can’t you have your TLS managed at the gateway, then reverse proxy based on subdomain to your various services?

permalink
report
reply
1 point

the primary concern that I have with that model is that while traffic to the proxy is encrypted, ~everything behind the scenes is not (or, at least not in a trusted way).

this isn’t so much an issue when it’s in front of a docker network, but it is when it’s connecting to actual devices/servers on the physical network, as a compromise of a user account on one machine could allow for mitm and lateral movement/PE/domain takeover.

permalink
report
parent
reply
1 point

having to manually update the certs every 90 days for devices that can’t run cerbot is a hard pass

You automate the sh*t out of it … or at least as much as reasonably feasible.

E.g. I’ve often done script/programs that will easily and automagically install certs across many servers/devices of lots of different types and configurations, with just a single command. If you can do it manually from CLI, you can automate it.

I’ve also very well automated obtaining certs - again, simple quick command.

Combine those things and some reasonable checks/monitors/reminders or whatever else, and you’ve got something that’s fully automated to do it all … or at least pretty darn close.

permalink
report
reply
1 point

yeah, I had not really played much with racadm and so I didn’t even consider the possibility of being able to update certs using it… as soon as I made that discovery, my life has changed. lol

permalink
report
parent
reply
1 point

Acme.sh can run a script after SSL cert updates. And it’s nice since it’s just bash.

permalink
report
reply

Self-Hosted Main

!main@selfhosted.forum

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

For Example

  • Service: Dropbox - Alternative: Nextcloud
  • Service: Google Reader - Alternative: Tiny Tiny RSS
  • Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Community stats

  • 1

    Monthly active users

  • 1.8K

    Posts

  • 11K

    Comments

Community moderators