Quick and Easy Local SSL Certificates for Your Homelab!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
We all know the feeling, You’ve finally set up all of  the stuff on your home server Plex, Sonarr, Paperless, Home Assistant And it all works fine! Except every time you access your  applications, you get this ugly SSL warning! Look, I know that that’s a first-world problem. And I know that there are  already a ton of solutions for it Self-signed certificates with  a local signing authority. Adding an exception in the browser, And of course, the good ol’  “just live with the pain”. But self-signed certificates  are a pain in the butt, Adding a browser exception only  works on one browser and one device, And ignoring the warnings only works   if you’re a completely sane and  stable human being with no OCD. But what if I told you that there’s way to get  pretty domain names for your homelab applications With valid SSL certificates, and with no need  to expose your services to the outside world. And the best part is that it’s absolutely free. I’m talking, of course, about using a reverse  proxy and DNS validation for our certificates. When you register a public domain name, you  usually point it to a public IP address. However, there’s nothing stopping  you from pointing it to a private   IP address that will only be  accessible on your local network. Then, we can use Let’s Encrypt’s DNS challenge  to get a valid SSL certificate for all of  your applications, without making them public. And as an added bonus – you won’t have to run  a custom DNS server like PiHole or Adguard Won’t have it edit hosts  files on any of your machines With one little exception,  which we’ll discuss later And it will basically just work on any  device that’s connected to your home network. Excited? Me too But not as excited as I am about  today’s sponsor, Brilliant.org Brilliant.org features a ton of fun interactive  online courses that help you learn math,   computer science, statistics,  and a lot of other subjects. Their courses are made  specifically for busy adults,   and just people who have a life, in general So you won’t need to spend hours in front of your  computer every day to learn, say, number theory. Or some other cool topic, like computational  biology, solar energy or quantum mechanics And if you find the recent developments  in AI technology unsettling, well, There’s no better way to protect yourself  from the machines taking over the world,   than learning how they work. And Brilliant.org has got you covered  with courses on machine learning,   neural networks and computer memory. So if you want to be spared in the  upcoming uprising of sentient AI bots, Go to brilliant.org/wolfgang,  and get your free 30-day trial The first 200 people to sign up with the link  will also get a 20% off their annual subscription. For this tutorial we’ll need a domain name. If you’re looking for a free option,  look no further than DuckDNS. The resulting domain will be kind of long,   but since most browsers these  days have autocompletion, I don’t think it’s that much of an issue. If you want a shorter domain name,   you can buy one for as little as 90 cents  on websites like Namecheap or GoDaddy, And the renewal fees are usually  somewhere around 5-10€ per year. For my homelab, I chose to go with  goose.party, because why the heck not. But for this tutorial, we’re  gonna be using DuckDNS,   because it’s free and very easy to set up. First thing we’ll need to set up for  this tutorial is a reverse proxy. For this example, I’ll be  using the Nginx proxy manager. Obviously, you don’t have to  use the Nginx Proxy Manager, And there’s a lot of other popular  reverse proxy applications,   such as Caddy, Traefik, SWAG, and so on. However, Nginx Proxy Manager  is very simple to configure, And if that’s your first time using a reverse  proxy, I think it’s one of the best options. One neat feature that Nginx Proxy Manager has   is built-in support for Let’s  Encrypt DNS-01 verification. The way Let’s Encrypt usually works is by  running a temporary web server on the port 80, and then asking the Let’s Encrypt certification  servers to generate a certificate for that server. However, in our case, the server that  we’ll be generating a certificate for,   won’t be publicly accessible. So instead, we’re gonna  use a method called DNS-01. DNS verification works by creating a special  DNS record on your DNS registar of choice, and then using it to verify that  the domain actually belongs to you. With DNS verification, you don’t  need to open any ports at all,   and it works even if your domain  doesn’t point to a public IP. You also don’t need to use any 3rd  party services like Cloudflare Tunnel. And as an added bonus, none of the  data actually leaves your home network So you don’t need to worry about firewall rules   or any kind of misconfiguration  on the part of Cloudflare Tunnel One more cool thing about DNS verification is   that it actually lets you create  wildcard records for your domains. Which means that no matter how  many subdomains you’re using,   you’ll only have to generate  one certificate for all of them. Nginx Proxy Manager does pretty much all the dirty  work of creating the special DNS records for you, and here’s a list of all DNS  providers that it supports. In case of DuckDNS, the only thing  you’ll need need is the API token,   which you can find here after you log in. So I have a fresh Debian 11  VM here on my home server,   and I’m gonna show you how to  set up the Nginx Proxy Manager. The best way to run it is with Docker, and  if you don’t have docker installed yet,   i’m also gonna show you how to install it. If you do have it installed, feel  free to skip to this timecode. First thing you want to do  is install dependencies. And by the way, if you’re already  running as root on your server,   feel free to omit "sudo" in all of these commands. Then, we’re gonna want to add the  official Docker repository key, like so After our key has been added,  let’s add the Docker APT repository And here, make sure you put  the correct architecture. If you’re running this on a  regular x86 PC, amd64 is fine, but in case you’re running this on  a Raspberry Pi or another ARM-based   computer, you’ll need to replace  `amd64` with `arm64`, like so. After that’s done, let’s update our  apt cache, by typing `sudo apt update` Now we can finally install  Docker, by typing this command: If you’re running as a non-root user, you’ll  also need to add yourself to the `docker` group, by typing `sudo usermod -aG docker username`  , and then logging out and logging back in. Now we can test if the docker works,  by typing `docker run hello-world` For this example, I’m going  to run nginx-proxy-manager,   as well as Nextcloud, Jellyfin and Home Assistant, And I’m gonna put them in  the same docker-compose file. This will make sure that all of our containers are   on the same Docker network and can  communicate with each other easily. Aside from the ports 81, 80  and 443 on the Nginx container,   we don’t need to forward any other ports  or expose our containers to the host. I’ll leave a link to this docker-compose file in   the video description in case  you want to play around with, and there’s also an example compose  in the Proxy manager’s Github repo. That being said, you don’t  have to use docker-compose,   or even Docker for your applications,  it’s just that it makes things way easier. For now, I’m just gonna exit the text  editor and type `docker-compose up -d`. After waiting a little bit for  all of our containers to launch,   we can now go to our browser and type  server_ip:81 to open the Proxy Manager WebUI. The default login here is admin@example.com,  and the password is “changeme”. First thing we need to do here is set our own  name, login and password, so let’s do that. Next, let’s go to SSL Certificates  and click on “Add SSL Certificate”. Before we go further, I’m actually gonna log in to   DuckDNS and create a domain  name for our proxy, like so. After that’s done, we need to point  the domain name to the IP address of   our proxy instance. In my case, it’s 192.168.0.105 If you’re using a different domain name provider, you’ll also need to create an additional  CNAME record for all the subdomains,   which should look something like this. Now let’s go back to the nginx proxy  manger and put our domain name here. We’ll also add a record for our subdomains,   which is the same domain name, plus  an asterisk and a dot in front of it. Then, we’ll click on “Use a DNS challenge”. Here, we need to select DuckDNS, and then  we’ll go back to DuckDNS, copy our Token,   and paste it right here, making sure  that there are no trailing spaces. Finally, let’s click on “I agree to Let’s  Encrypt Terms of Service”, and press Save. And if you did everything correctly, after some  time, you should see your generated certificates! If you get an error, like you see here, Don't worry about it! Not every bad thing in life is your fault. This actually might be because the DNS  changes aren’t getting propagated fast enough. By default, the Let’s Encrypt servers wait 30  seconds for the DNS changes to take effect,   and if that’s not enough, you might want  to set it at somewhere around 120 seconds. And as you can see, after  increasing the propagation time,   we can finally generate our certificates. Now let’s create our first proxy entry. This will let us access our Admin  WebUI with notthebee.duckdns.org. Let’s go to Hosts, Proxy Hosts,  and then click on “Add Proxy Host”. The domain name is going to be our  root domain, so notthebee.duckdns.org, And for the scheme, we need to choose HTTP. Since we’re using docker-compose, we don’t  actually have to put any IP addresses here. We can just refer to our containers  using their names in the compose file.  So in this case, `nginxproxymanager`. If you want to proxy a non-docker service, or  maybe if your service is not on the same Docker   network as the Nginx Proxy Manager, you’ll  need to put the IP address here instead. So for example, if your service is running on the   same machine as the Nginx Proxy  Manager, that will be localhost. Next, we’re gonna set our port,  in this case it’s port 81. Depending on the application, you also  might want to enable some of these options. For example, Home Assistant uses Websockets,  so you’ll want to enable them in that case. “Block Common Exploits” is not that useful,   since we’re running our proxy on the  local network, behind a firewall, And “Cache Assets” also doesn’t make much  of a difference in speed in my opinion. So if you want, you can enable these features  and then see if your app works correctly,  But personally I’d leave them off, unless  you really know that you need them. After that’s done, let’s go to SSL, and choose  the SSL certificate that we’ve generated earlier.  We’ll also click on Force SSL  and enable HTTP/2 Support. And yeah, that’s it. Now we can press on  Save, and open the URL in the browser. Aaand there you go! A local service  running in your home network,   with a pretty domain name  and a valid SSL certificate. Now let’s add another  service. For the domain name,   we’ll go with nextcloud.notthebee.duckdns.org. I’m using the Nextcloud image from linuxserverio,   which makes Nextcloud run  on the port 443 by default. This means that we’ll need to choose  https here, and 443 for the port. For the hostname, we’ll just put nextcloud,   since this is the name we gave our  container in the docker-compose file. Choose our certificate, and  enable the first two options. And now let’s open our new  entry in the browser… and,   yeah, there you go :) it’s literally that easy. Okay, so now I’ve added the entries  for Jellyfin and Home Assistant,   just to save you guys some time. And as you can see, I can access Jellyfin by  simply going to jellyfin.notthebee.duckdns.org With Home Assistant, you’ll also need to  add the IP address of your Nginx Proxy   Manager instance to the configuration file,  otherwise you’ll get an error, like this. But after editing the configuration file  and restarting the Home Assistant container,   I can now also access it by going  to home.notthebee.duckdns.org So that’s pretty much it, and one  last thing I want to mention is that   this method relies on the Internet  connection to resolve the domains. So if you have frequent Internet outages or  just want your services to work independently   of the Internet connection, that’s where  you might want to run your own DNS server. Alternatively, you can also add hosts  entries for your apps on your client   machines – but that obviously  won’t work on all client devices. Still, if you already have something like Pi-Hole  and AdGuard, you can just put your domains there,  and that will make sure that you can access  your stuff even with no Internet connection. So this is it! In this video we’ve set  up a reverse proxy for our local home   lab applications with pretty domain  names and valid SSL certificates. Without exposing our services to the  outside world, and with no need to   punch holes in our firewall or rely  on a third party tunneling service. I hope you guys enjoyed this video and as  usual, I would like to thank my Patrons.
Info
Channel: Wolfgang's Channel
Views: 444,994
Rating: undefined out of 5
Keywords:
Id: qlcVx-k-02E
Channel Id: undefined
Length: 12min 7sec (727 seconds)
Published: Mon May 15 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.