Computing/Running my own CA: Difference between revisions
From Cricalix.Net
mNo edit summary |
mNo edit summary |
||
Line 43: | Line 43: | ||
# Run update-ca-certificates.sh | # Run update-ca-certificates.sh | ||
# Grab acme.sh from Github - <code>wget <nowiki>https://github.com/acmesh-official/acme.sh/archive/master.tar.gz</nowiki></code> | # Grab acme.sh from Github - <code>wget <nowiki>https://github.com/acmesh-official/acme.sh/archive/master.tar.gz</nowiki></code> | ||
# Install to /usr/local/share/acme.sh/ | # Install to /usr/local/share/acme.sh/ - <code>./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "acme@home.arpa"</code> | ||
# Piggyback on the DSM Let's Encrypt setup in nginx, and run <code>/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server <nowiki>https://vault.home.arpa:9000/acme/acme/directory</nowiki> --webroot /var/lib/letsencrypt --days 90</code> | # Piggyback on the DSM Let's Encrypt setup in nginx, and run <code>/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server <nowiki>https://vault.home.arpa:9000/acme/acme/directory</nowiki> --webroot /var/lib/letsencrypt --days 90</code> | ||
# Set SYNO_Username, SYNO_Password | # Set SYNO_Username, SYNO_Password | ||
Line 73: | Line 73: | ||
# Request name router.home.arpa | # Request name router.home.arpa | ||
# Should all work | # Should all work | ||
<code>/etc/config/acme</code> | |||
config acme | |||
option state_dir '/etc/acme' | |||
option debug '0' | |||
option account_email 'acme@home.arpa' | |||
config cert 'router' | |||
option enabled '1' | |||
option use_staging '0' | |||
option keylength '2048' | |||
list domains 'router.home.arpa' | |||
option update_uhttpd '1' | |||
option validation_method 'webroot' | |||
option webroot '/www' | |||
option use_acme_server '1' | |||
option acme_server 'https://192.168.0.218:9000/acme/acme/directory' | |||
=== iOS === | === iOS === |
Revision as of 09:55, 24 September 2023
I use the RFC-approved home.arpa domain at home. You cannot get certificates for devices from Let's Encrypt when you do this, because no-one (those of us who want certificates at least) has control over the DNS for home.arpa. This also means the CA has to be on the LAN, because a net-based service a) won't know how to look up home.arpa entries on the local router, b) and even if it could, it can't reach the internal services without firewall hole punching.
Thus, run step-ca locally in a Docker container, and get everything configured to talk to it.
CA Setup
- Use step-ca in docker on Synology NAS, mapping through port 9000:9000
- Add the acme provider per the docs
- SSH to the host
docker -it smallstep-step-ca-1 /bin/bash
step ca provisioner add acme --type ACME --x509-default-dur 730h # 1 monthish
- Export out the root CRT file, will need it for trust everywhere
certs/root_ca.crt
Deploy
HomeAssistant
- Update the http config to allow trusted reverse proxies
- Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
- Add a Caddyfile that specifies the local CA
- Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
- Start Caddy2 and it should successfully retrieve a certificate
Working Caddyfile
homeassistant.home.arpa { reverse_proxy homeassistant:8123 tls ca@home.arpa { ca https://vault.home.arpa:9000/acme/acme/directory ca_root /ssl/ca.pem } }
Working configuration.yaml
http: use_x_forwarded_for: true trusted_proxies: - 192.168.0.194 # whatever the homeassistant box resolves to
Synology
To add TLS/SSL to the NAS itself,
- Copy the cert to /var/db/ca-certificates, named .crt, 0644
- Run update-ca-certificates.sh
- Grab acme.sh from Github -
wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
- Install to /usr/local/share/acme.sh/ -
./acme.sh --install --nocron --home /usr/local/share/acme.sh --accountemail "acme@home.arpa"
- Piggyback on the DSM Let's Encrypt setup in nginx, and run
/usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt --days 90
- Set SYNO_Username, SYNO_Password
/usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
- Add a Task Scheduler entry to run
/usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/
frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly.
Dockers on Synology
The NAS runs multiple contains for things like Jellyfin. A small dance is needed, but it's not a bad one.
- Add DNS name on router DNS zone, A record pointing at the vault.home.arpa name
- Re-run the --issue command, adding another -d for the name to add to the certificate. This turns into a SAN certificate.
- Deploy the certificate
- Settings > Login Portal > Advanced > Reverse Proxy
- Proxy the new name on https to localhost on the relevant port.
- Save
- Try the new name in a browser or whatever.
Desktop
- For firefox, find the CA cert, add it to the local store
Router
- Add router.home.arpa to the static DNS setup
- Install the luci-app-acme UI; it pulls in acme.sh
- Delete existing configs
- Add new config pointing to IP address of vault as custom source
- Hack the code to add --insecure to the curl call
- Request name router.home.arpa
- Should all work
/etc/config/acme
config acme option state_dir '/etc/acme' option debug '0' option account_email 'acme@home.arpa' config cert 'router' option enabled '1' option use_staging '0' option keylength '2048' list domains 'router.home.arpa' option update_uhttpd '1' option validation_method 'webroot' option webroot '/www' option use_acme_server '1' option acme_server 'https://192.168.0.218:9000/acme/acme/directory'
iOS
- Email the root certificate to myself
- Tap on it in Mail
- Save to iCloud or phone
- Open Files app
- Tap certificate
- Open Settings, should go to profile imports
- Import the certificate
- Settings root, search for trust
- Enable trust for the certificate
Paths taken, but reversed
- Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713's fix or things fail with error code 6.
- Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand.