50
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 14 Sep 2024
50 points (91.7% liked)
Firefox
20317 readers
186 users here now
/c/firefox
A place to discuss the news and latest developments on the open-source browser Firefox.
Rules
1. Adhere to the instance rules
2. Be kind to one another
3. Communicate in a civil manner
Reporting
If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.
founded 5 years ago
MODERATORS
IMO it's easiest to just use a real domain for your local network. For example, I use subdomains of
int.example.com
, whereexample.com
is my blog.Then, you can get Let's Encrypt or ZeroSSL certificates for all the hosts. Systems do not need to be accessible over the internet - you can use an ACME DNS challenge instead of a HTTP one. Use something like certbot or acme.sh and renewals will be automated.
The only cost is for one domain, and some TLDs are less than $5/year. Check tld-list.com and sort by renewal price, not registration price (as some are only cheap for the first year).
So you get a wildcard cert for the public domain, and only go one level deep on your LAN, reusing the wildcard cert? That's a pretty cool trick.
I use a wildcard cert in some places, but most of them are individual certs. You can have multiple ACME DNS challenges on a single domain, for example
_acme-challenge.first.int.example.com
and_acme-challenge.second.int.example.com
forfirst.int.example.com
andsecond.int.example.com
respectively.The DNS challenge just makes you create a TXT record at that
_acme-challenge
subdomain. Let's Encrypt follows CNAMES and supports IPv6-only DNS servers, so I'm using some software called "acme-dns" to run a DNS server specifically for ACME DNS challenges. It's just listening on a IPv6 in one of my VPS /64 IPv6 range.This is the way to do it - actual valid certs, with actual working TLS.
OP's issue is they don't understand how SSL works and fighting Firefox, which is actually trying to protect them and steer they e in the right direction.