{"id":1876,"date":"2023-11-16T09:39:40","date_gmt":"2023-11-16T14:39:40","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=1876"},"modified":"2023-11-16T09:39:40","modified_gmt":"2023-11-16T14:39:40","slug":"easy-wildcard-certificate-for-home-lab","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/virtualization\/easy-wildcard-certificate-for-home-lab\/","title":{"rendered":"Easy wildcard certificate for home lab"},"content":{"rendered":"\n

In my home lab I have a container running Nginx Proxy Manager (discussed in this previous post<\/a>). This proxy allows for friendlier host names and SSL for various services in the lab. Using a wildcard DNS record and wildcard SSL certificates makes for a super easy way to onboard new services.<\/p>\n\n\n\n

To get started, I first needed to pick a parent domain name to use for services. I already have a DNS zone for example.com<\/code> so I decided to put these services under apps.example.com<\/code>. To make this super easy to manage, I created a new domain under example.com with the name apps<\/code>. It has a single CNAME record of asterisk (*<\/code>) and the FQDN points to the host name of my container host. Screenshot of the DNS record from my Windows DNS server below:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

I then created a wildcard certificate for *.apps.example.com<\/code> from my internal CA. There are many ways to create a certificate signing request (CSR), but since I have a lot of Aria Suite products in the lab, I like using the Aria Suite Lifecycle > Locker > Certificates > Generate CSR button. This gives me a UI to populate the fields and kicks out a single file with both the CSR & private key. I use the CSR to generate a web server certificate from my internal CA, then download the base64 certificate. I edit the resulting .cer file and append my CAs public key to create a proper chain. Now that I have a certificate and private key, I can move into the Nginx Proxy Manager UI.<\/p>\n\n\n\n

From the Nginx Proxy Manager UI, I select the SSL Certificates tab. I add a new SSL certificate and populate the required fields, screenshot below:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

When I go to the Hosts > Proxy hosts tab I can now very easily add hosts with SSL capabilities. I no longer need to make a certificate for each service or even manually create DNS records. For example, lets say my internal IPAM solution needs a certificate. Instead of creating a ‘friendly’ DNS record and dedicated certificate, I can use this Nginx Proxy and wildcard certificate. We can simply add a new proxy host, enter a domain name such as ipam.apps.example.com<\/code>, enter the correct host\/port details, and select the correct certificate.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

On the SSL tab of the new host we can pick our wildcard.apps.example.com certificate and select force SSL.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Now when I browse to http:\/\/ipam.apps.example.com\/<\/a>, I’m automatically redirected to the secure version of the site:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

This does inject a new dependency — the Nginx Proxy Manager container needs to be running for me to reach these secure services — but in this case the container is running on a host that is typically online\/working.<\/p>\n","protected":false},"excerpt":{"rendered":"

In my home lab I have a container running Nginx Proxy Manager (discussed in this previous post). This proxy allows for friendlier host names and SSL for various services in the lab. Using a wildcard DNS record and wildcard SSL … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[9,4],"tags":[],"class_list":["post-1876","post","type-post","status-publish","format-standard","hentry","category-lab-infrastructure","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=1876"}],"version-history":[{"count":1,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1876\/revisions"}],"predecessor-version":[{"id":1883,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1876\/revisions\/1883"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=1876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=1876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=1876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}