Computing/Running my own CA

From Cricalix.Net
Revision as of 08:28, 24 September 2023 by Cricalix (talk | contribs)
  1. Use step-ca in docker on Synology NAS, mapping through port 9000:9000
  2. Add the acme provider per the docs
    1. SSH to the host
    2. docker -it smallstep-step-ca-1 /bin/bash
    3. step ca provisioner add acme --type ACME --x509-default-dur 730h # 1 monthish
  3. Export out the root CRT file, will need it for trust everywhere
    1. certs/root_ca.crt

HomeAssistant

  1. Update the http config to allow trusted reverse proxies
  2. Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
  3. Add a Caddyfile that specifies the local CA
  4. Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
  5. Start Caddy2 and it should successfully retrieve a certificate
Working Caddyfile
homeassistant.home.arpa {
	reverse_proxy homeassistant:8123
	tls ca@home.arpa {
		ca https://vault.home.arpa:9000/acme/acme/directory
		ca_root /ssl/ca.pem
	}
}
Working configuration.yaml
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.194  # whatever the homeassistant box resolves to

Synology

To add TLS/SSL to the NAS itself,

  1. Copy the cert to /var/db/ca-certificates, named .crt, 0644
  2. Run update-ca-certificates.sh
  3. Grab acme.sh from Github - wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
  4. Install to /usr/local/share/acme.sh/
  5. Piggyback on the DSM Let's Encrypt setup in nginx, and run /usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa  --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt
  6. Set SYNO_Username, SYNO_Password
  7. /usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
  8. Add a Task Scheduler entry to run /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly.

iOS

  1. Email the root certificate to myself
  2. Tap on it in Mail
  3. Save to iCloud or phone
  4. Open Files app
  5. Tap certificate
  6. Open Settings, should go to profile imports
  7. Import the certificate
  8. Settings root, search for trust
  9. Enable trust for the certificate


Paths taken, but reversed

  1. Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713's fix or things fail with error code 6.
  2. Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand.
Retrieved from ‘https://wiki.cricalix.net/index.php?title=Computing/Running_my_own_CA&oldid=51