I like my computery things to be encrypted. I could run my own CA1,2,3 in my home lab, but I won’t use it often and most probably wipe the VM by accident ╮( ̄▽ ̄"")╭ .

Since I only had positive experiences with Let’s Encrypt, I started to fiddle around with it at home. The Web UI I use most often is from my NAS. I could simply trust it’s self-signed cert, but I wanted the fuzzy and warm feeling of a secure lock icon in my browser.

Synology offers to use the Let’s Encrypt CA out of the box, but the verification uses a http-challenge. This in turn requires Port 80 to be forwarded from the Router to the NAS. I didn’t want to do this and remembered that there is also a dns-challenge available.

To use the DNS challenge, I needed another client and went with acme.sh. Here is roughly how it goes:

  • acme.sh talks to LE CA and requests a new certificate
  • LE CA issues a token to acme.sh
  • acme.sh creates a DNS TXT record like _acme-challenge.nas.bdw.li with a value derived from the token and other details
  • LE CA checks the DNS record and gives the certificate creation process a go if the DNS record is valid
  • acme.sh creates the certificate and removes the DNS record
  • acme.sh switches the certificate in my NAS

acme.sh was only able to modify the DNS records thanks to the community that maintained the plugins for various DNS providers.

The DNS challenge also allows to create wildcard certificates like *.bdw.li. I’m starting to like those, because then you won’t leave a trail of your DNS names somewhere.

Wait, isn’t something crucial missing? Yes, Split DNS! I am pointing certain public DNS names to private IPs within my home lab.

So, in my home lab nas.bdw.li resolves to 10.10.2.1 and when I access it, I’m greeted with a pretty Let’s Encrypt certificate.

  1. https://hohnstaedt.de/xca/ ↩︎

  2. https://github.com/jsha/minica ↩︎

  3. https://github.com/topics/ca ↩︎