Computing/Running my own CA: Difference between revisions
From Cricalix.Net
mNo edit summary |
mNo edit summary |
||
Line 42: | Line 42: | ||
# Add a Task Scheduler entry to run <code>/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/</code> frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly. | # Add a Task Scheduler entry to run <code>/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/</code> frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly. | ||
=== iOS === | |||
Paths taken, but reversed | # Email the root certificate to myself | ||
# Tap on it in Mail | |||
# Save to iCloud or phone | |||
# Open Files app | |||
# Tap certificate | |||
# Open Settings, should go to profile imports | |||
# Import the certificate | |||
# Settings root, search for trust | |||
# Enable trust for the certificate | |||
===Paths taken, but reversed=== | |||
# Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713<nowiki/>'s fix or things fail with error code 6. | # Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713<nowiki/>'s fix or things fail with error code 6. | ||
# Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand. | # Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand. |
Revision as of 08:28, 24 September 2023
- Use step-ca in docker on Synology NAS, mapping through port 9000:9000
- Add the acme provider per the docs
- SSH to the host
docker -it smallstep-step-ca-1 /bin/bash
step ca provisioner add acme --type ACME --x509-default-dur 730h # 1 monthish
- Export out the root CRT file, will need it for trust everywhere
certs/root_ca.crt
HomeAssistant
- Update the http config to allow trusted reverse proxies
- Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
- Add a Caddyfile that specifies the local CA
- Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
- Start Caddy2 and it should successfully retrieve a certificate
Working Caddyfile
homeassistant.home.arpa { reverse_proxy homeassistant:8123 tls ca@home.arpa { ca https://vault.home.arpa:9000/acme/acme/directory ca_root /ssl/ca.pem } }
Working configuration.yaml
http: use_x_forwarded_for: true trusted_proxies: - 192.168.0.194 # whatever the homeassistant box resolves to
Synology
To add TLS/SSL to the NAS itself,
- Copy the cert to /var/db/ca-certificates, named .crt, 0644
- Run update-ca-certificates.sh
- Grab acme.sh from Github -
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
- Install to /usr/local/share/acme.sh/
- Piggyback on the DSM Let's Encrypt setup in nginx, and run
/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt
- Set SYNO_Username, SYNO_Password
/usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
- Add a Task Scheduler entry to run
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly.
iOS
- Email the root certificate to myself
- Tap on it in Mail
- Save to iCloud or phone
- Open Files app
- Tap certificate
- Open Settings, should go to profile imports
- Import the certificate
- Settings root, search for trust
- Enable trust for the certificate
Paths taken, but reversed
- Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713's fix or things fail with error code 6.
- Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand.