this post was submitted on 04 Oct 2023
0 points (NaN% liked)

Selfhosted

40183 readers
700 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone,

Just a quick question, let's encrypt, what is it and how can I take advantage of its services?

For a bit of background I'm trying to setup KanIDM and the need for a ca certificate is needed, I was told to use let's encrypt to create it.

Just looking for knowledge.

Thanks!

top 7 comments
sorted by: hot top controversial new old
[–] [email protected] 0 points 1 year ago (1 children)

I'm going to cast another vote for a reverse proxy, such as NginxProxyManager. It's really easy to set everything up, and they're usually very easy to run in Docker/Podman.

One thing to note: if you end up with a domain with mandatory HSTS, you'll have to use DNS-based certificate generation rather than HTTP based, since unencrypted HTTP is blocked (chicken/egg problem to get HTTPS working). It's not hard, but you have to be aware of that limitation.

[–] [email protected] 1 points 1 year ago

As someone that used Nginx for close to decade, Caddy is about 10x simpler with the same features. It takes a bit to wrap your head around if you're used to coming from an "old-school" webserver and proxy like Apache or Nginx though. One of the greatest things about Caddy is that it does SSL by default, so there's no need to have stanzas in each section saying "listen on 80 and 443, but if you get a connection on 80 redirect it to 443" and another one saying "enable SSL for this (sub)domain". Creating a reverse proxy in Caddy literally takes three lines and consists of FQDN { reverse_proxy internal-endpoint-name:portNumber }

[–] [email protected] 0 points 1 year ago (1 children)

Use Caddy as a web server and forget about setting up certificates forever. This masterpiece will take care of it.

[–] [email protected] 1 points 1 year ago (1 children)

Kanidm wants to directly have access to the letsencrypt cert. It refuses to even serve over HTTP, or put any traffic over it since that could allow potentially bad configurations. It has a really stringent policy surrounding how opinionated it is about security.

[–] [email protected] 0 points 1 year ago (1 children)

Do they know about reverse proxies?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Yeah. There's reasoning for why they do it on their docs, but the reasoning iirc is kanidm is a security critical resource, and it aims to not even allow any kind of insecure configuration. Even on the local network. All traffic to and from kanidm should be encrypted with TLS. I think they let you use self signed certs though?

[–] [email protected] -1 points 1 year ago* (last edited 1 year ago)

I don't know KanIDM specifically so take this with a grain of salt.

Let's Encrypt only provides server certificates. The kind used to secure a connection (HTTPS, IMAPS, etc). KanIDM might require a Certificate Authority (CA) certificate to issue Client Certificates (used for authentication like MIME-S, WPA Enterprise, etc). Let's Encrypt cannot be used for this purpose.