Shit like this is why building websites is no longer fun for me like it was back in the 90s and 2000s. There's way too much security shit to worry about now.
this post was submitted on 02 Dec 2025
446 points (98.9% liked)
Selfhosted
53294 readers
1051 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I still think the web would have been better off if certificates were signed and part of a web of trust like in GPG/PGP. It wouldn't stop sites from using trusted CAs to increase their trust levels with browsers, but it would mean that tiny websites wouldn't need to go through layers of mandatory bullshit and inconvenience. Also means that key signers could have meaningful business relationships rather than being some random CA that nobody has a clue about.
3 letter organisms: NSA - CIA. People tend to think that's a conspiracy theory... Even though we have so many real life examples about how the US and the 3 letters agencies have their hands all over the web and privacy and encryption is just a wet dream !
I'm sorry but if you aren't using automated renewals then you are not using let's encrypt the way it's intended to be used. You should take this as an opportunity to get that set up.
Ours is automated, but we incur downtime on the renewal because our org forbids plain http so we have to do TLS-ALPN-01. It is a short downtime. I wish let's encrypt would just allow http challenges over https while skipping the cert validation. It's nuts that we have to meaningfully reply over 80...
Though I also think it's nuts that we aren't allowed to even send a redirect over 80...
Hot take: for-profit orgs should be buying TLS certificates from the CA cartel instead of using Let's Encrypt. Unless you're donating to LE, and in that case it's cool.
our org forbids plain http
is redirecting http to https also out of the question? because let's encrypt HTTP-01 accepts http -> https redirects:
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates.
They in fact refuse to even do a redirect... it's monumentally stupid and I've repeatedly complained, but 'security' team says port 80 doing anything but dropping the packet or connection refused is bad...
oh my god
Can't use DNS?
The same screwed up IT that doesn't let us do HTTP-01 challenges also doesn't let us do DNS except through some bs webform, and TXT records are not even vaguely in their world.
It sucks when you are stuck with a dumber broad IT organization...
Wow...
Yikes. I feel for you man.
I've got it setup automated on all my external domains, but trying to automate it on my internal-only domain is rather tedious since not only do I NOT want to open a port for it to confirm, but I have 2 other devices/services on the network not behind my primary reverse proxy that share the same cert.
What In need to do is setup my own custom cron that hits the hosting provider to update the DNS txt entries. Then I need to have it write and restart the services that use the cert. I've tried to automate this once before and it did not go so smoothly so I've been hesitant on wasting time to try it again... But maybe it's time to.
What would be ideal is if I could allow it to be automated just by getting a one time dns approval and storing a local private/public key to prove to them that I'm the owner of the domain or something. Not aware of this being possible though.
load more comments
(2 replies)
load more comments
(15 replies)
YES! Keep cutting it down!
Revocation is a lost cause and if you don’t automate you deserve what you get.
I have multiple self hosted services at home which are impossible to automate because they are not accessible from the internet without VPN. And some even don't have internet access. Still me and my roommates are using them through a valid domain that points to the local address enabling https. Some services require https to function at all. After log4j i'll never again open a "normal" port 80 or 443 to my local net. So thanks i guess. 90 days was annoying already. Great it works out for you
Use DNS validation
The solution is to not use Http based validation of the cert, but use dns based validation. Possibly combined with a wildcard cert for your whole domain. This is what I do for internal services on my LAN, along with split DNS so that the internal services aren't even listed in public DNS.
Dude, you need to figure out a way to automate that. It’s no way to live.
I agree, but it's impossible to convince my less tech savy roommates and friends to let me install a root certificate. "That sounds like i could read all their private messages", lol. Just let me have my certificate for https in my local net. I don't need to be "even more" secure. I get that that's necessary for public services, but surely not for local selfhosting. I don't even have a port open other than wireguard. And i would not even care "if a roommate hacks/gets access to a guests voice commands for home assistant." (Not complaining at you but at this trend. I do think my use case is valid)
You are gonna laugh if i tell you how i partly automated this workaround. A script changes the (dyn) dns entries of all subdomains to point to my public server in a datacenter. There, it ssh's in and requests the certificates with certbot. Then, it restores the dns entries and downloads and installs the certificates in the local net. Still requires manual supervision and sometimes intervention. My domains do not support automated dnssec. I don't have time to secure my local net enough to feel good about opening ports. If all certificate lifetimes get shorter, i'll either have to switch my domain provider or give up selfhosting for other people.
Allowing a certificate without proper validation for local only networks is a terrible, terrible idea. I could super easily use this as a loophole to set up a honeypot public free wi-fi, redirect all traffic through a reverse proxy and man-in-the-middle every single HTTPS connection, effectively allowing me to harvest everyone's passwords in a really quick and easy way.
Just use DNS verification. It's not that hard.
I've had dns-01 validation running for a while now. It's not difficult, just a paradigm shift. I spent a minute just now looking for a concise how-to for you and didn't find one, so I suppose I'll have to write it.
I'll bookmark this comment so I can find you once I've done that.
Can you not issue your own certificate? I guess it depends on how many devices and what types of devices need to connect. It's be a one time effort per device (importing your own self signed cert) versus one time effort per service per X days.
I did that for myself a few years back. But i can't convince my roommates, let's not even speak of guests, to install a (my) root certificate. My android phone still complains about "possibly supervised network traffic" since back when i installed my root ca. Maybe there is another solution im not aware of, but i can't think of any
It's so infuriating to me that there isn't a way to just encrypt traffic without verifying it's part of a chain. By all means, give a nag warning in browsers, but ugh, I think that ship has long since sailed. Plus, realistically, you'd need just as many scary warnings to deter the average user that they might be getting MITMed.
minor panic, oh, "2028".
Might as well adjust the setting now. I had that same feeling for something they changed several years ago and never got around to changing it til all my stuff went down lol.
load more comments
(1 replies)
view more: next ›