this post was submitted on 04 Oct 2023
39 points (88.2% liked)

Selfhosted

39987 readers
963 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey everyone,

Just a quick question, let's encrypt, what is it and how can I take advantage of its services?

For a bit of background I'm trying to setup KanIDM and the need for a ca certificate is needed, I was told to use let's encrypt to create it.

Just looking for knowledge.

Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] alado@lemmy.world 13 points 1 year ago (4 children)

Use Caddy as a web server and forget about setting up certificates forever. This masterpiece will take care of it.

[–] pete_the_cat@lemmy.world 5 points 1 year ago

I had been using Nginx and LetsEncrypt for years and while it worked well most of the time, sometimes it was a bit of a pain, especially due to the verbosity of the Nginx config file. I was using both of them in docker containers and that requires you to have 3 specific environmental variables set for each container.

I tried using Traefik, and while concise, it was still a bit confusing.

I finally decided to give Caddy a try a few months back after hearing about it for years. I'm disappointed that I didn't try it sooner because it's so freaking simple to use. I rewrote my entire docker-compose file to use it because it's that simple. I love how it takes literally 3 lines to create a SSL secured reverse proxy.

[–] IAm_A_Complete_Idiot@sh.itjust.works 3 points 1 year ago (1 children)

Kanidm wants to directly have access to the letsencrypt cert. It refuses to even serve over HTTP, or put any traffic over it since that could allow potentially bad configurations. It has a really stringent policy surrounding how opinionated it is about security.

[–] lemmyvore@feddit.nl 1 points 1 year ago (1 children)

Do they know about reverse proxies?

[–] IAm_A_Complete_Idiot@sh.itjust.works 1 points 1 year ago* (last edited 1 year ago)

Yeah. There's reasoning for why they do it on their docs, but the reasoning iirc is kanidm is a security critical resource, and it aims to not even allow any kind of insecure configuration. Even on the local network. All traffic to and from kanidm should be encrypted with TLS. I think they let you use self signed certs though?

[–] fraydabson@sopuli.xyz 2 points 1 year ago (2 children)

Love caddy. Took a little bit for me to understand but it’s an amazing tool. I barely use a fraction of its capabilities.

[–] pete_the_cat@lemmy.world 4 points 1 year ago

I had been using Nginx for years until I finally switched to Caddy a few months ago, I'm disappointed in myself that I didn't check it out sooner lol. Caddy is to Nginx like what Nginx is to Apache.

I have like 15 reverse proxies setup and it takes the same amount of code that about 4 or 5 would take in Nginx.

[–] lettruthout@lemmy.world 3 points 1 year ago

Thanks for the feedback on Caddy. 'Will consider that for my next project.

[–] lettruthout@lemmy.world 2 points 1 year ago (1 children)

Thanks for mentioning Caddy. 'Will consider that for my next project.

[–] alado@lemmy.world 2 points 1 year ago

You're welcome :) If you have any questions, feel free to contact me.