Computing/Running my own CA

From Cricalix.Net
Revision as of 08:12, 24 September 2023 by Cricalix (talk | contribs)
  1. Use step-ca in docker on Synology NAS
  2. Add the acme provider per the docs
  3. Export out the root CRT file, will need it for trust everywhere

HomeAssistant

  1. Update the http config to allow trusted reverse proxies
  2. Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
  3. Add a Caddyfile that specifies the local CA
  4. Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
  5. Start Caddy2 and it should successfully retrieve a certificate

Synology

To add TLS/SSL to the NAS itself,

  1. Copy the cert to /var/db/ca-certificates, named .crt, 0644
  2. Run update-ca-certificates.sh
  3. Grab acme.sh from Github - wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
  4. Install to /usr/local/share/acme.sh/
  5. Install the community package SynoCli Network Tools
  6. Run /usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa  --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt
  7. Set SYNO_Username, SYNO_Password
  8. /usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
  9. Add a Task Scheduler entry to run /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated.