Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I have multiple self hosted services at home which are impossible to automate because they are not accessible from the internet without VPN. And some even don't have internet access. Still me and my roommates are using them through a valid domain that points to the local address enabling https. Some services require https to function at all. After log4j i'll never again open a "normal" port 80 or 443 to my local net. So thanks i guess. 90 days was annoying already. Great it works out for you
Use DNS validation
The solution is to not use Http based validation of the cert, but use dns based validation. Possibly combined with a wildcard cert for your whole domain. This is what I do for internal services on my LAN, along with split DNS so that the internal services aren't even listed in public DNS.
Dude, you need to figure out a way to automate that. It’s no way to live.
I agree, but it's impossible to convince my less tech savy roommates and friends to let me install a root certificate. "That sounds like i could read all their private messages", lol. Just let me have my certificate for https in my local net. I don't need to be "even more" secure. I get that that's necessary for public services, but surely not for local selfhosting. I don't even have a port open other than wireguard. And i would not even care "if a roommate hacks/gets access to a guests voice commands for home assistant." (Not complaining at you but at this trend. I do think my use case is valid)
You are gonna laugh if i tell you how i partly automated this workaround. A script changes the (dyn) dns entries of all subdomains to point to my public server in a datacenter. There, it ssh's in and requests the certificates with certbot. Then, it restores the dns entries and downloads and installs the certificates in the local net. Still requires manual supervision and sometimes intervention. My domains do not support automated dnssec. I don't have time to secure my local net enough to feel good about opening ports. If all certificate lifetimes get shorter, i'll either have to switch my domain provider or give up selfhosting for other people.
Allowing a certificate without proper validation for local only networks is a terrible, terrible idea. I could super easily use this as a loophole to set up a honeypot public free wi-fi, redirect all traffic through a reverse proxy and man-in-the-middle every single HTTPS connection, effectively allowing me to harvest everyone's passwords in a really quick and easy way.
Just use DNS verification. It's not that hard.
I've had dns-01 validation running for a while now. It's not difficult, just a paradigm shift. I spent a minute just now looking for a concise how-to for you and didn't find one, so I suppose I'll have to write it.
I'll bookmark this comment so I can find you once I've done that.
Can you not issue your own certificate? I guess it depends on how many devices and what types of devices need to connect. It's be a one time effort per device (importing your own self signed cert) versus one time effort per service per X days.
I did that for myself a few years back. But i can't convince my roommates, let's not even speak of guests, to install a (my) root certificate. My android phone still complains about "possibly supervised network traffic" since back when i installed my root ca. Maybe there is another solution im not aware of, but i can't think of any
It's so infuriating to me that there isn't a way to just encrypt traffic without verifying it's part of a chain. By all means, give a nag warning in browsers, but ugh, I think that ship has long since sailed. Plus, realistically, you'd need just as many scary warnings to deter the average user that they might be getting MITMed.