I have a PC I have installed Portainer on, with various docker services (home assistant, jellyfin, etc…) with an ISP supplied router fixing various device IP addresses and reaching out to dyndns.
I really want to move everything over to HTTPS connections by supplying certificates, tls termination, etc .
The issue I have is self signed certificates mean I have to manage certificate deployment to everything in the house.
I figure I need to link a domain to the DynDNS entry and arrange certs for the domain. However I can’t make the link function and everywhere wants >£100 to generate a certificate.
How are people solving this issue?
- Cloudflare free tier
- Cloudflare wildcard cert (I use one domain with many subdomains)
- Docker container for dyndns to cf
- Nginx proxy manager
You can use let’s encrypt or you can use certificates given by Cloudflare if you have a domain managed with Cloudflare itself
LetsEncrypt provides free certificates. I would setup Nginx Proxy Manager and use DNS challenge with your dyndns provider to get HTTPS on your home services.
My problem - and I’m not alone - is that I really don’t want to expose anything publicly. Is there a way to do this without exposing anything to the Internet?
You don’t have to expose Nginx publicly. It can exist privately on your network. I have my own domain and DNS server internally. For example
nginx.home.datallboy.com
andjellyfin.home.datallboy.com
will resolve to NPM server at192.168.1.10
. Then nginx can listen forjellyfin.home.datallboy.com
, and proxy those connections to my Jellyfin VM at192.168.1.20
.Since I own my domain (
datallboy.com
), I let Nginx Proxy Manager do DNS challenge which is only used to authenticate that I own the domain. This will insert a TXT record on public DNS records for verification, and it can be removed afterwards. LetsEncrypt will then issue a certificate forhttps://jellyfin.home.datallboy.com
which I can only access locally on my network since it only resolves to private IP addresses. The only thing “exposed” is that LetsEncrypt issued a certificate to your domain, which isn’t accessible to the internet anyways.You do not have to create your own CA server.