Computing/Running my own CA: Difference between revisions
From Cricalix.Net
(Created page with "# Use step-ca in docker on Synology NAS # Add the acme provider per the docs # Export out the root CRT file, will need it for trust everywhere === HomeAssistant === # Update the http config to allow trusted reverse proxies # Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons # Add a Caddyfile that specifies the local CA # Ensure the Caddyfile points to the exported CA certificate in somewhere like /config # Start Caddy2 and it should successfull...") |
mNo edit summary |
||
| Line 18: | Line 18: | ||
# Grab acme.sh from Github - <code>wget <nowiki>https://github.com/acmesh-official/acme.sh/archive/master.tar.gz</nowiki></code> | # Grab acme.sh from Github - <code>wget <nowiki>https://github.com/acmesh-official/acme.sh/archive/master.tar.gz</nowiki></code> | ||
# Install to /usr/local/share/acme.sh/ | # Install to /usr/local/share/acme.sh/ | ||
# Install the community package '''SynoCli Network Tools''' | |||
# Run <code>/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server <nowiki>https://vault.home.arpa:9000/acme/acme/directory</nowiki> --webroot /var/lib/letsencrypt</code> | # Run <code>/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server <nowiki>https://vault.home.arpa:9000/acme/acme/directory</nowiki> --webroot /var/lib/letsencrypt</code> | ||
# Set SYNO_Username, SYNO_Password | # Set SYNO_Username, SYNO_Password | ||
# <code>/usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm</code> | # <code>/usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm</code> | ||
# Add a Task Scheduler entry to run <code>/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/</code> frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. | # Add a Task Scheduler entry to run <code>/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/</code> frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. | ||
Revision as of 08:12, 24 September 2023
- Use step-ca in docker on Synology NAS
- Add the acme provider per the docs
- Export out the root CRT file, will need it for trust everywhere
HomeAssistant
- Update the http config to allow trusted reverse proxies
- Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
- Add a Caddyfile that specifies the local CA
- Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
- Start Caddy2 and it should successfully retrieve a certificate
Synology
To add TLS/SSL to the NAS itself,
- Copy the cert to /var/db/ca-certificates, named .crt, 0644
- Run update-ca-certificates.sh
- Grab acme.sh from Github -
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz - Install to /usr/local/share/acme.sh/
- Install the community package SynoCli Network Tools
- Run
/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt - Set SYNO_Username, SYNO_Password
/usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm- Add a Task Scheduler entry to run
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated.
