Home lab/network - ‘best practices’

[SomeHandleThatStartsWithS]

So, like a lot of you I’ve got a home lab and a slightly more advanced network configuration than most homes. I’ve been looking at throwing a certificate server on the network to eliminate all (or most) of the self signed certificate errors thrown up by Proxmox, my NAS, etc.

The thing is, I’m using an internal domain *.internal, to be precise. It seemed to be recommended best practice,except a lot of the “spin your own certificate server” articles (including Our own Lee Hutchinson ) uses Let’s Encrypt and an externally routable domain.

So, I could easily create a subdomain (to avoid split braining DNS) and do it that way, but before I go down that road, what is everyone’s recommendation for best practices these days?

 

[Deleted member 43669]

I find it easier to use Let's Encrypt. But honestly, I used to get internal certs for stuff not publicly accessible, but I stopped doing that. Too much effort.

If I started from scratch, actually I'd consider running my own DNS root for internal things.

 

[r0twhylr]

I'm thinking about it. In theory, I might get around to it later this year.

In reality, my lab has been frustrating the hell out of me lately, and every simple thing I try to do takes way longer than I expect. Hence low-priority things like certs are way down the list and probably won't happen any time soon.

On the bright side however, I have a new host on the way ... 2 x 24 core Platinum Xeons, 768Gb RAM.

 

[waqar]

easy-rsa is a eh easy.

 

[steelghost]

I'm just using PiHole to give me DNS A-records for the stuff I have internally. Then I'm using Let's Encrypt on my most used hosts; Proxmox, Pihole, Home Assistant. Beyond that, eh, not sure how much effort I'm prepared to go to really.

 

[Evie__Rivka]

I'm way more lazy than you all, I just run a non-normal subnet address internally for DHCP and rely on my pfsense router with some 3rd party patches like pfblocker and pihole. What advantages do you get rolling your own certificates? For connecting to my machines away from the house I use tailscale with an end-node at my router.

 

[r0twhylr]

I'm way more lazy than you all, I just run a non-normal subnet address internally for DHCP and rely on my pfsense router with some 3rd party patches like pfblocker and pihole. What advantages do you get rolling your own certificates? For connecting to my machines away from the house I use tailscale with an end-node at my router.

Makes some things easier and/or work better. For instance, if you're toying with vSphere (I'll pause a moment so the boos and hissing can quiet down), it's less annoying when you try to log into the web management GUI. And if you're trying to upload files to a datastore or content library in vCenter (pauses again), it's way easier and less prone to breakage.

 

[steelghost]

Yeah there's various things in Proxmox (specifically if you're using their Backup Server) that are clicker / easier if you've got "proper" certificates installed. The log on for PiHole is easier to use.

None of these things are amazing per se, but equally, setting up certs is not usually very hard, particularly for tools like Proxmox where the plumbing is all in place already and its just a matter of filling in a few fields.