• 1 Post
  • 4 Comments
Joined 1 year ago
cake
Cake day: October 31st, 2023

help-circle
  • After tinkering for a few days I think I finally found the best comnpromise for my setup.

    I’m using my public DNS (at cloudflare) to deploy the DNS challenge txt entries, to then issue certs using cert-manager and certbot.

    This is security wise not the best solution because all these DNS entries are public, so mapping my internal infrastructure would be somewhat possible, but since it’s a homelab I’m not too concerned about this attack vector.


  • I have considered this as the most viable of all my options. But theres still the issue with distributing my root certs to my mobile devices.

    On the other hand, I have a freeIPA server running - for DNS and LDAP - that could theoretically also act as a CA, so I could generate my own certs and import the root cert on my devices. That’s nice for desktops and laptops, but with mobile devices, this seems like a lot of tinkering, which - again - I’d like to avoid.


  • Use vault as a CA and support ACME protocol for Cert manager and is quite easy to use. The documentation is straight forward

    I have considered this, but this brings me back to same issue as with FreeIPA:

    On the other hand, I have a freeIPA server running - for DNS and LDAP - that could theoretically also act as a CA, so I could generate my own certs and import the root cert on my devices. That’s nice for desktops and laptops, but with mobile devices, this seems like a lot of tinkering, which - again - I’d like to avoid.

    I’d have to rolly my certs out to all my mobile devices, which doesn’t sound fun at all.