Using MiaB to validate a Let's Encrypt certificate for home-server


#1

Hi there!

I have some devices at home (NAS, web server with 2 subdomains, …), where I need a SSL certificate for the same domain as I’m using at MiaB. Until now I updated my wildcard certificate using the DNS-manual method and my MiaB DNS server managed the A and TXT records.

Now I’m asking myself if it’s maybe possible to use the MiaB’s own validation service for the SSL certificate I’d like to create for my home server, is it possible? What method is used by MiaB? HTTP server?

Maybe it’s even somehow possible to use DNS-NSupdate / RFC2136?


#2

Nobody, who could help me?


#3

Is there a reason you wouldn’t just run Let’s Encrypt on those servers to create the certificates needed? It seems bringing the MIAB box into the equation unnecessarily complicates things.


#4

I am not understanding clearly from your initial post … are you stating that you have had a wildcard cert issued to your MiaB box?

Or are you wanting the DNS cert for your home devices to be the same subdomain as your box …

Please rephrase so it is understood EXACTLY what you want to achieve.


#5

Local, not internet accessible, perhaps? I have no clue which is why I asked the OP for clarification.


#6

I was looking a while ago into letsencrypt DNS challenges, I haven’t had time to test this out but I came across this:

https://github.com/EnigmaBridge/certbot-external-auth

You will have to write a script to take certbots challenge and push it to mailinabox through the dns api as it appears no one has written a Mailinabox hook yet.


#7

@blinkingline & @alento
It‘s the easiest way for me doing it that way, because I’m not really an expert.

One of the devices which needs a certificate is my pfSense firewall. I think the only way of importing a certificate (besides the manual import via web UI) into the pfSense is to create one via the LE package. Because I’m able to export that certificate to my Ubuntu server (using it for certain purposes) my pfSense is the only instance that creates a wildcard certificate, automatically exports it to my Ubuntu server and restarts all the processes to renew their certificates.
So by now I’m going to renew my certificates for any service I run at home via one click at the pfSense LE package. It’s not that hard, but I was looking for an automated alternative.

I think, the only automatically method to renew my certificates on my pfSense is a web server on the pfSense itself. But I’m afraid of running this method on my firewall. Then I’d better use the dns manual update further.

Finally, I thought that if MiaB is already running a LE validation service I could maybe use it for my home solution as well to validate the same domain. But the deeper I try to inquire into LE’s processes of renewing and validating, the more I think that it would be impossible with the existent solutions, am I right?

@operations
Yes, that would be some kind of what I’m looking for. The pfSense’s LE’s package is offering external authentication services as well, but I don’t know if it’s possible to add custom entries. Anyway I wouldn’t be able to do this…


#8

Finally I found ACME-DNS (https://github.com/joohoi/acme-dns).
That is a really simple solution and seems for me as one of the most secure options for automatic domain validation.

Before I started this topic, I didn’t know much how LE works in general. Now I understand it a little bit better and it’s clear for me that the way I wanted to solve my “problem” it would not work. But this was a good start to learn something new :slight_smile: