TLS certificates for locally hosted webservices

Leo Huang

2024-04-08

networking

It’s 2024, and there’s generally no excuse for any website to be served over
HTTP instead of HTTPS. While SSL/TLS certificates used to be expensive and
difficult to manage, ever since Let’s Encrypt launched in 2016 it’s become
almost unnervingly simple to generate valid certificates for your own
websites for the exceedingly low price of Free.

But what about locally hosted websites? That is, websites that are hosted on
your local machine, or another machine on your LAN (Local Area Network).
These websites might be accessed via something like http://192.168.1.123:8093

There’s nothing terribly wrong about this; if you’re following tutorials to
set up your home lab, you’ll likely have a whole bunch of services that look
like this. But there are also several reasons why you might not want to
access them via HTTP and the LAN IP:

It’s kind of ugly and you’d like to be able to use a nicer name like
https://subdomain.mydomain.com
The “Not Secure” badge in the address bar upsets you
Sometimes your browser shows a big scary warning screen and you have to
click lots of buttons to proceed (yes, two buttons is lots)
You want to use modern web APIs that are restricted to secure contexts

Your connection is not private

Did you know that in Chrome, you can type thisisunsafe to get past this screen?

DNS

Just a quick note here about how to make something like https://subdomain.mydomain.com
point to your non-web-accessible server at 192.168.1.123.

It’s actually very simple - remember that DNS just resolves a domain name to an IP address.
While it may be better to run your own local DNS server,
there’s really nothing stopping you from using something like Cloudflare DNS
to let the whole world know that some domain should resolve to a local IP.

It doesn’t make your local LAN any more accessible to the outside internet.

HSTS preload list

By the way, there’s another reason why you might need a TLS certificate.
Originally, I was happy to just set up DNS and access my sites via HTTP.

But there’s this thing called the HSTS preload list
which is hard-coded into modern browsers. Any domain that appears on this
list is forced to upgrade to HTTPS, even if it was originally accessed via
HTTP and the webserver didn’t request an upgrade.

The surprising part is that Google added all of the TLDs that it owns
to the HSTS preload list.
This means that if you have a .dev or a .you domain or any of the other
50+ TLDs that Google owns, you literally must have a valid TLS certificate
for your websites.

All .dev domains are preloaded

Thanks Google. I mean, it's a good thing, but still...

Standard Let’s Encrypt setup

The problem is that the most stock-standard method of deploying Let’s Encrypt
certificates requires that your website is accessible to the public internet,
so that Let’s Encrypt’s servers can access a file on your webserver and prove
that you have control over that webserver. The process looks something like this:

You install certbot on your webserver, which automates the whole process
certbot puts a file on your webserver which contains a special token,
making it accessible at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
Let’s Encrypt’s servers access that file, verifies its authenticity, and
issues you a certificate
certbot can even update your webserver configuration to use this
certificate to properly handle TLS termination

This is called the HTTP-01 challenge, and you can issue a certificate for a
particular domain using this method. The main benefit is that the entire
process is entirely automated, since certbot can modify your webserver
to pass the challenge. It can even handle renewals, which is amazing.

Some sub-optimal workarounds

Temporarily make your local webserver public accessible

After letting certbot and Let’s Encrypt complete the HTTP-01 challenge
successfully, you could turn off your port forwarding and you would have a
valid certificate…for 90 days. Have fun doing that every 90 days for
certificate renewal, not to mention how icky is feels to have your private
webservers open to attack, even temporarily.

Be your own Certificate Authority

Instead of letting Let’s Encrypt or some other recognised CA sign your
certificates, you could become your own CA and sign certificates for your
services. But this means that every device that you want to use with your
services has to recognise your new CA by installing the CA root certificate
on it.

Good luck doing that for your computer(s), mobile devices, your spouse’s
devices, any guests that come over…

Confusing advice out there

The main reason I wrote this post is because it’s surprisingly difficult to
find the (really quite simple) solution to this problem. There’s even a
page from
the official Let’s Encrypt website that talks about certificates for
localhost that
seems relevant and is often linked to, but really isn’t.

That page talks about the very specific case about a native app deployed
alongside a webserver to be run on localhost, and the difficulties of
getting a valid certificate issued in this case.

DNS-01 challenge

The DNS-01 challenge is
another method of proving ownership of a domain to issue a certificate. In
fact, it’s actually a stronger proof than the HTTP-01 challenge because it
proves that you own the entire domain (including all sub-domains), instead
of just a single domain name. This means you can issue wildcard certificates
(eg, for *.mydomain.com).

The beauty of this challenge type is that it doesn’t require your webserver
to be publicly accessible; instead you need to add a special record to a TXT
entry on your DNS server to prove ownership.

It’s no secret that this challenge type exists. It’s just rarer - perhaps
because it comes with the somewhat-significant downside of needing to store
API keys for your DNS provider on your webserver to allow certbot to
automate the challenge. Additionally, your DNS provider actually
needs to have API support for creating DNS records. Cloudflare is, once
again, fantastic on this front (and free for simple use cases like ours).

Of course, because our webserver is local and not accessible to the internet,
the attack surface is much reduced and keeping API credentials on the webserver
probably isn’t a big deal.

Putting it all together

Here’s the setup I ended up with:

DNS records that all resolve to the same local IP address on Cloudflare
(because I haven’t gotten around to setting up a local DNS server yet)
An nginx reverse proxy at that IP, which looks
at the Host header and forwards traffic to other local webservices
Certbot set up alongside nginx to automate TLS certificate renewals using
the DNS-01 challenge

I’m running nginx in a Docker container because
it makes everything so easy. I even found an off-the-shelf container that
already has nginx and certbot set up. Here’s the docker compose file:

services:
  nginx:
    # https://github.com/JonasAlfredsson/docker-nginx-certbot
    image: jonasal/nginx-certbot:5.0.1
    container_name: nginx
    restart: 'unless-stopped'
    volumes:
      # The final certificates are stored here
      # You must also provide your DNS provider's API key as a file here
      # See https://github.com/JonasAlfredsson/docker-nginx-certbot/blob/master/docs/certbot_authenticators.md
      - ./letsencrypt:/etc/letsencrypt
      # Makes it easy to configure nginx
      - ./conf.d:/etc/nginx/conf.d
    ports:
      - "80:80"
      - "443:443"
    environment:
      - CERTBOT_EMAIL=<your email>
      # Tells cerbot to use DNS-01, specifically with Cloudflare
      - CERTBOT_AUTHENTICATOR=dns-cloudflare

Here’s the nginx config:

server { 
    # Listen to port 443 on both IPv4 and IPv6. 
    listen 443 ssl; 
    listen [::]:443 ssl; 
 
    # Domain names this server should respond to 
    server_name subdomain.mydomain.com; # certbot_domain:*.mydomain.com 
 
    # Load the certificate files 
    ssl_certificate         /etc/letsencrypt/live/wildcard.mydomain.com.dns-cloudflare/fullchain.pem; 
    ssl_certificate_key     /etc/letsencrypt/live/wildcard.mydomain.com.dns-cloudflare/privkey.pem; 
    ssl_trusted_certificate /etc/letsencrypt/live/wildcard.mydomain.com.dns-cloudflare/chain.pem; 
 
    ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; 
 
    proxy_http_version 1.1; 
    proxy_set_header   Upgrade $http_upgrade; 
    proxy_set_header   Connection $http_connection; 
    proxy_set_header   Host $http_host; 
    proxy_set_header   X-Real-IP $remote_addr; 
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 
    proxy_set_header   X-Forwarded-Proto $scheme; 
 
    location / { 
        proxy_pass http://192.168.1.123:9876; 
    } 
}

Note the special # certbot_domain:*.mydomain.com comment. This is a hint
that the scripts in this particular Docker image understand, so that they’ll
ask certbot to use this domain and issue a wildcard certificate instead of
using the server_name and generating a certificate for each subdomain. See
the issue
and the docs
and the example.

The scripts actually automatically add those ssl_* directives. It’s pretty
neat.

After this simple config, you can now access https://subdomain.mydomain.com
and everything works perfectly.