You are not logged in.

#1 2018-03-23 05:17:32

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Letsencrypt Certificates and Local Area Network Names

I have been on a journey of learning for the last week.  I have set up nginx as a reverse proxy server for my cherrypy application.  I am using Certbot to create and manage a certificate for my DDNS subdomain.  Works perfectly.
Note that I redirect all port 80 traffic to port 443.  The router forwards traffic to this computer, turing.lan.

I have been reading lots of documentation about  Letsencrypt, CherryPy and Nginix here on the Arch Wiki and, to a lesser degree, the forums.  It has been like drinking from a firehose.

My issue is how best to access the nginx server from inside my LAN.  Instead of the DDNS domain name that is in the certificate, I have names such as turing.lan, router.lan, hp4653.lan, roku.lan.   Of course, when accessing the site from the LAN, The browser warns of the use of a certificate that is not valid on the domain. 

What is the best way to access the webserver on turing.lan without getting a warning that the cert is invalid for the domain?   It is not clear in which direction I should look and would appreciate a nudge in the right direction.

The approaches I am investigating are expanding the scope of the certificate by adding domains,
Or, does one use a different certificate for the LAN with a different server clause in Nginx?  And if so, how is it possible to get that cert signed with Letsencrypt and Certbot?  Or is a self-signed cert all that I can do?

Suggestions?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#2 2018-03-23 06:59:54

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Letsencrypt Certificates and Local Area Network Names

I believe the recommended option is registering a public domain, set up subdomains (maybe to a simple catch-all) then register them for let's encrypt. In your lan you'll have your own dns which resolves local ips instead.

https://community.letsencrypt.org/t/cer … rks/174/35

Last edited by progandy (2018-03-23 07:06:51)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2018-03-23 12:55:51

positronik
Member
Registered: 2016-02-08
Posts: 94

Re: Letsencrypt Certificates and Local Area Network Names

progandy wrote:

... In your lan you'll have your own dns which resolves local ips instead. ...

I second this. It is exactly what I do for accessing my Nextcloud server via LAN.

Well for me that's easy because I already have a home DNS server.

Offline

#4 2018-03-23 16:11:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Letsencrypt Certificates and Local Area Network Names

Well, that was an interesting read.  Thank you both.
I was aware that one class of challenges had to do with DNS as opposed to write access on the domain.  I had hoped to keep my head buried in the sand on the DNS side of the fence.  Mostly because I am using DDNS and am using a sub domain  I control in which I do not control the top domain.   Never-the-less, the idea of using a publicly available server with a the same as the name I want to use internally is nice -- but -- I gather the address would have to be one I control, and is valid for the Internet at large.  So, an address such as turing.lan is not going to cut it.   I could use turing.net, but I gather I would have to own the domain.   

Am I understanding this?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#5 2018-03-23 16:44:49

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Letsencrypt Certificates and Local Area Network Names

Domain names are ridiculously cheep if you don't care too much about the tld.  turing.ninja is available for $5.  Or if you're not to selective about the domain itself, you can get a common tld for cheap: ewaller.com would be $9.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

Board footer

Powered by FluxBB