Computing/Running my own CA

From Cricalix.Net
Revision as of 08:25, 24 September 2023 by Cricalix (talk | contribs)
  1. Use step-ca in docker on Synology NAS, mapping through port 9000:9000
  2. Add the acme provider per the docs
    1. SSH to the host
    2. docker -it smallstep-step-ca-1 /bin/bash
    3. step ca provisioner add acme --type ACME --x509-default-dur 730h # 1 monthish
  3. Export out the root CRT file, will need it for trust everywhere
    1. certs/root_ca.crt

HomeAssistant

  1. Update the http config to allow trusted reverse proxies
  2. Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
  3. Add a Caddyfile that specifies the local CA
  4. Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
  5. Start Caddy2 and it should successfully retrieve a certificate
Working Caddyfile
homeassistant.home.arpa {
	reverse_proxy homeassistant:8123
	tls ca@home.arpa {
		ca https://vault.home.arpa:9000/acme/acme/directory
		ca_root /ssl/ca.pem
	}
}
Working configuration.yaml
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.194  # whatever the homeassistant box resolves to

Synology

To add TLS/SSL to the NAS itself,

  1. Copy the cert to /var/db/ca-certificates, named .crt, 0644
  2. Run update-ca-certificates.sh
  3. Grab acme.sh from Github - wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
  4. Install to /usr/local/share/acme.sh/
  5. Piggyback on the DSM Let's Encrypt setup in nginx, and run /usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa  --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt
  6. Set SYNO_Username, SYNO_Password
  7. /usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
  8. Add a Task Scheduler entry to run /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated. With a 1 month renewal, this could be weekly.


Paths taken, but reversed

  1. Use the letsencrypt add-on for HA, and specify the CA crt in the configuration. Have to apply https://github.com/home-assistant/addons/issues/2713's fix or things fail with error code 6.
  2. Use the step-client add-on for HA. This got the root CA crt copied over, but didn't help with anything else really. Easier to just copy the certificate by hand.
Retrieved from ‘https://wiki.cricalix.net/index.php?title=Computing/Running_my_own_CA&oldid=50