Letsencrypt Certificates and Local Area Network Names

ewaller · 2018-03-23 05:17:32

I have been on a journey of learning for the last week. I have set up nginx as a reverse proxy server for my cherrypy application. I am using Certbot to create and manage a certificate for my DDNS subdomain. Works perfectly.
Note that I redirect all port 80 traffic to port 443. The router forwards traffic to this computer, turing.lan.

I have been reading lots of documentation about Letsencrypt, CherryPy and Nginix here on the Arch Wiki and, to a lesser degree, the forums. It has been like drinking from a firehose.

My issue is how best to access the nginx server from inside my LAN. Instead of the DDNS domain name that is in the certificate, I have names such as turing.lan, router.lan, hp4653.lan, roku.lan. Of course, when accessing the site from the LAN, The browser warns of the use of a certificate that is not valid on the domain.

What is the best way to access the webserver on turing.lan without getting a warning that the cert is invalid for the domain? It is not clear in which direction I should look and would appreciate a nudge in the right direction.

The approaches I am investigating are expanding the scope of the certificate by adding domains,
Or, does one use a different certificate for the LAN with a different server clause in Nginx? And if so, how is it possible to get that cert signed with Letsencrypt and Certbot? Or is a self-signed cert all that I can do?

Suggestions?

progandy · 2018-03-23 06:59:54

I believe the recommended option is registering a public domain, set up subdomains (maybe to a simple catch-all) then register them for let's encrypt. In your lan you'll have your own dns which resolves local ips instead.

https://community.letsencrypt.org/t/cer … rks/174/35

Last edited by progandy (2018-03-23 07:06:51)

positronik · 2018-03-23 12:55:51

progandy wrote:

... In your lan you'll have your own dns which resolves local ips instead. ...

I second this. It is exactly what I do for accessing my Nextcloud server via LAN.

Well for me that's easy because I already have a home DNS server.

ewaller · 2018-03-23 16:11:21

Well, that was an interesting read. Thank you both.
I was aware that one class of challenges had to do with DNS as opposed to write access on the domain. I had hoped to keep my head buried in the sand on the DNS side of the fence. Mostly because I am using DDNS and am using a sub domain I control in which I do not control the top domain. Never-the-less, the idea of using a publicly available server with a the same as the name I want to use internally is nice -- but -- I gather the address would have to be one I control, and is valid for the Internet at large. So, an address such as turing.lan is not going to cut it. I could use turing.net, but I gather I would have to own the domain.

Am I understanding this?

Trilby · 2018-03-23 16:44:49

Domain names are ridiculously cheep if you don't care too much about the tld. turing.ninja is available for $5. Or if you're not to selective about the domain itself, you can get a common tld for cheap: ewaller.com would be $9.

Arch Linux

#1 2018-03-23 05:17:32

Letsencrypt Certificates and Local Area Network Names

#2 2018-03-23 06:59:54

Re: Letsencrypt Certificates and Local Area Network Names

#3 2018-03-23 12:55:51

Re: Letsencrypt Certificates and Local Area Network Names

#4 2018-03-23 16:11:21

Re: Letsencrypt Certificates and Local Area Network Names

#5 2018-03-23 16:44:49

Re: Letsencrypt Certificates and Local Area Network Names

Board footer