So i’m familiar with certs and domain names etc, and CA’s on the internet, but what I want to do is create a cert for all my LAN based services that have a login page, just to prevent local MITM attacks. Things like
pfSense
Netbox
HomeAssistant
piHole
all these locally accesses webservers, is it possible to create a cert and install on the devices I will be accessing them from? Do I need a CA to be running all the time to validate this CERT?
I also have a domain name, and was thinking about creating records for each service, such as
pfsense.domain.com, and just adding static DNS entries so these A records are only able to be resolved locally.
Has or does anyone currently do this?
Thanks
You must log in or register to comment.
I don’t have a static IP, so I had to do it by a roundabout route. First I set up dynamic DNS at mydomain.duckdns.org and configured pfsense to update it, then I CNAMED lan.mydomain.com to it. I used the ACME package on pfsense to grab a wildcard cert for *.lan.mydomain.com, set up local DNS records in pfsense’s resolver for the various services and proxied them in pfsense’s HAProxy package.
Check wildcard certificates via Let’s Encrypt.
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Caddy or traefik or swag do this. These act as reverse proxies.
https://www.reddit.com/r/homelab/s/CJgidijPD6 Or just caddy and stuff, although it doesn’t work for me
Wildcard certificates and HAProxy on pfSense is how I do it.